Snort mailing list archives

Re: portscans from 255.255.255.255?

From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 30 Jan 2003 16:19:54 -0500

twig les wrote:

Hey all, I have seriously debated whether I should
send this since it may or may not be off-topic; it's
just too bizarre to tell.  My border routers are
sysloging this:

bdr-acl-in denied tcp 255.255.255.255(80) ->
1.1.156.194(8118)


They started here regularly on Jan 29 around 1500 EST.
Someone in Poland recently posted to the Incidents list
that they saw it start up on the same day.

They're coming in every few seconds. Different hosts and high
ports. Varying TTL and ACL numbers.

I haven't found anything here going out that would cause
it.


01/30-14:57:54.393807 255.255.255.255:80 -> InternalAddress:18128
TCP TTL:236 TOS:0x0 ID:24721 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x67E40001  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


01/30-14:57:54.576724 255.255.255.255:80 -> InternalAddress:29922
TCP TTL:238 TOS:0x0 ID:21195 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x4DAB0001  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/30-14:58:13.453737 255.255.255.255:80 -> InternalAddress:8685
TCP TTL:47 TOS:0x0 ID:27062 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x501A0015  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/30-14:58:19.938537 255.255.255.255:80 -> InternalAddress:28599
TCP TTL:239 TOS:0x0 ID:13989 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x51510001  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

portscans from 255.255.255.255? twig les (Jan 30)
- Re: portscans from 255.255.255.255? Sam Evans (Jan 30)
- Re: portscans from 255.255.255.255? Gary Flynn (Jan 30)
- Re: portscans from 255.255.255.255? Matt Kettler (Jan 30)
- <Possible follow-ups>
- RE: portscans from 255.255.255.255? larosa, vjay (Jan 30)