Snort mailing list archives
Snort + Guardian + Acid dont run
From: "Franco Catena" <facatena () surson com br>
Date: Wed, 9 Jun 2004 08:19:33 -0300
HI,
Good my problem is the following:
Use CL9 and I got to install the snort 1.9 + acid+guardian... Snort
detects my sweepings in the nmap and it places them in Alert and in
Portscan.log as I read at a forum. (preprocessor portscan: $EXTERNAL_NET
4 3 PORTSCAN.LOG AND PREPROCESSOR PORTSCAN-IGNOREHOSTS: 200.122.34.55)
the case is that the attack attempts are on file. The fact is that they
don't appear in the acid and therefore in MYSQL. ME already of mysql -h
localhost -u snort -p and everything certain. What appears me in the
healthy acid:
[snortDB] (spp_stream4) NMAP FINGERPRINT (stateful) detection
unclassified 5 (31%) 1 1 1 2004-06-07
02:36:45 2004-06-07 19:11:49
[snortDB] (spp_stream4) STEALTH ACTIVITY (XMAS scan)
detection unclassified 6 (38%) 1 1 1
2004-06-07 02:36:45 2004-06-07 19:11:52
[snortDB] (spp_stream4) STEALTH ACTIVITY (NULL scan)
detection unclassified 5 (31%) 1 1 1
2004-06-07 02:36:47 2004-06-07 19:11:52
Proceeding, I installed the guardian 1.7 and he see the file porscan.log
but it doesn't take any attitude.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
Odd.. source = 200.122.34.132, dest = 200.122.34.55. No action done.
config:
# The machines IP address that is visable to the internet
# If this is left undefined, then guardian will attempt to get the
information
# from ifconfig, as long as it has an interface to use. This would be
useful
# for people on ppp links, or dhcp machines, or if you are lazy :)
HostIpAddr 200.122.34.55
# Here we define the interface which we will use to guess the IP
address, and
# block incoming offending packets. This is the only option that is
required
# for guardian to run. If the rest are undefined, guardian will use the
default.
Interface eth0
# The last octet of the ip address, which gives us the gateway address.
HostGatewayByte 1
# Guardian's log file
LogFile /var/log/guardian/guardian.log
# Snort's alert file. This can be the snort.alert file, or a syslog file
# There might be some snort alerts that get logged to syslog which
guardian
# might not see..
AlertFile /var/log/snort/alert
# The list of ip addresses to ignore
IgnoreFile /etc/guardian.ignore
# This is a list of IP addresses on the current host, in case there is
more
# than one. If this file doesn't exist, then it will assume you want to
run
# with the default setup (machine's ip address, and broadcast/network).
TargetFile /etc/guardian.target
# The time in seconds to keep a host blocked. If undefined, it defaults
to
# 99999999, which basicly disables the feature.
TimeLimit 86400
#--------------------------------------------------
# http://www.snort.org Snort 1.9.1 Ruleset
# Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.9.1 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.110.2.4 2002/11/17 04:40:07 cazz Exp $
#
###################################################
# This file contains a sample snort configuration.
# You can take the following steps to create your
# own custom configuration:
#
# 1) Set the network variables for your network
# 2) Configure preprocessors
# 3) Configure output plugins
# 4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS
# which will be always initialized to IP address and
# netmask of the network interface which you run
# snort at.
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
var HOME_NET [192.168.100.0/24,127.0.0.1]
# Set up the external network addresses as well.
# A good start may be "any"
var EXTERNAL_NET 200.122.34.55
# Configure your server lists. This allows snort to only look for
attacks # to systems that have a service up. Why look for HTTP attacks
if you are # not running a web server? This allows quick filtering
based on IP addresses # These configurations MUST follow the same
configuration scheme as defined # above for $HOME_NET.
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# Configure your service ports. This allows snort to look for attacks
# destined to a specific application only on the ports that application
# runs on. For example, if you run a web server on port 8081, set your
# HTTP_PORTS variable like this: # # var HTTP_PORTS 8081 # # Port lists
must either be continuous [eg 80:8080], or a single port [eg 80]. # We
will adding support for a real list of ports in the future.
# Ports you run web servers on
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
# other variables
#
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of
# servers.
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules
###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>: <configuration_options>
# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation. This plugin will also
detect # people launching fragmentation attacks (usually DoS) against
hosts. No # arguments loads the default configuration of the
preprocessor, which is a
# 60 second timeout and a 4MB fragment buffer.
# The following (comma delimited) options are available for frag2
# timeout [seconds] - sets the number of [seconds] than an unfinished
# fragment will be kept around waiting for
completion,
# if this time expires the fragment will be
flushed
# memcap [bytes] - limit frag2 memory usage to [number] bytes
# (default: 4194304)
#
# min_ttl [number] - minimum ttl to accept
#
# ttl_limit [number] - difference of ttl to accept without alerting
# will cause false positves with router flap
#
# Frag2 uses Generator ID 113 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Oversized fragment (reassembled frag > 64k bytes)
# 2 Teardrop-type attack
preprocessor frag2
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat
# stick/snot against TCP rules. Also performs full TCP stream
# reassembly, stateful inspection of TCP streams, etc. Can statefully #
detect various portscan types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608) # options
(options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate
alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be
very
# noisy because there are a lot of crappy ip
stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
# min_ttl - this option has been moved to config min_ttl: <int>
#
# ttl_limit [number] - differential of the initial ttl on a
session versus
# the normal that someone may be playing
games.
# Routing flap may cause lots of false
positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine"
to
# get them in a flat format for machine reading,
add
# "binary" to get them in a unified binary
output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number]
seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to [number] bytes
# log_flushed_streams - if an event is detected on a stream this
option will
# cause all packets that are stored in the
stream4
# packet buffers to be flushed to disk. This
only
# works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap
preprocessor stream4: detect_scans, disable_evasion_alerts
# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection
only
# serveronly - reassemble traffic for the server side of a connection
only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of
stream4
# ports [list] - use the space separated list of ports in [list],
"all"
# will turn on reassembly for all ports, "default" will
turn
# on reassembly for ports 21, 23, 25, 53, 80, 143, 110,
111
# and 513
preprocessor stream4_reassemble
# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote
# machines by converting any %XX character
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request.
# Specify the port numbers you want it to analyze as arguments. # #
Major code cleanups thanks to rfp #
# unicode - normalize unicode
# iis_alt_unicode - %u encoding from iis
# double_encode - alert on possible double encodings
# iis_flip_slash - normalize \ as /
# full_whitespace - treat \t as whitespace ( for apache )
#
# for that GID:
# SID Event description
# ----- -------------------
# 1 UNICODE attack
# 2 NULL byte attack
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default. This preprocessor
# normalized RPC traffic in much the same way as the http_decode #
preprocessor. This plugin takes the ports numbers that RPC
# services are running on as arguments.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a
packet # no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network. This preprocessor # uses
the Back Orifice "encryption" algorithm to search for
# traffic conforming to the Back Orifice protocol (not BO2K).
# This preprocessor can take two arguments. The first is "-nobrute" #
which turns off the plugin's brute forcing routine (brute forces
# the key space of the protocol to find BO traffic). The second #
argument that can be passed to the routine is a number to use # as the
default key when trying to decrypt the traffic. The
# default value is 31337 (just like BO). Be aware that turning on # the
brute forcing option runs the risk of impacting the overall #
performance of Snort, you've been warned... #
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
preprocessor bo: -nobrute
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from #
telnet and ftp traffic. It works in much the same way as the
# http_decode preprocessor, searching for traffic that breaks up # the
normal data stream of a protocol and replacing it with
# a normalized representation of that traffic so that the "content" #
pattern matching keyword can work without requiring modifications. #
This preprocessor requires no arguments. # Portscan uses Generator ID
109 and does not generate any SID currently.
preprocessor telnet_decode
# Portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This
preprocessor detects UDP packets or TCP SYN packets going to # four
different ports in less than three seconds. "Stealth" TCP # packets are
always detected, regardless of these settings. # Portscan uses Generator
ID 100 and uses the following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Portscan detect
# 2 Inter-scan info
# 3 Portscan End
preprocessor portscan: $EXTERNAL_NET 4 3 portscan.log
# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from #
specific networks or hosts to reduce false alerts. It is typical # to
see many false alerts from DNS servers so you may want to # add your DNS
servers here. You can all multiple hosts/networks # in a
whitespace-delimited list. # preprocessor portscan-ignorehosts:
200.122.34.55
# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring. To make
use # of this preprocessor you must specify the IP and hardware address
of hosts on # the same layer 2 segment as you. Specify one host IP MAC
combo per line. # Also takes a "-unicast" option to turn on unicast ARP
request detection.
# Arpspoof uses Generator ID 112 and uses the following SIDS for that
GID:
# SID Event description
# ----- -------------------
# 1 Unicast ARP request
# 2 Etherframe ARP mismatch (src)
# 3 Etherframe ARP mismatch (dst)
# 4 ARP cache overwrite attack
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
# ASN1 Decode
#-----------------------------------------
# This is an experimental preprocessor. ASN.1 decoder and analysis
plugin
# from Andrew R. Baker. This preprocessor will detect abuses of the
ASN.1
# protocol that higher level protocols (like SSL, SNMP, x.509, etc) rely
on. # The ASN.1 decoder uses Generator ID 115 and uses the following
SIDs for
# that GID:
# SID Event description
# ----- -------------------
# 1 Indefinite length
# 2 Invalid length
# 3 Oversized item
# 4 ASN.1 specification violation
# 5 Dataum bad length
# preprocessor asn1_decode
# Fnord
#-----------------------------------------
# This is an experimental preprocessor. Polymorphic shellcode analyzer
and # detector by Dragos Ruiu. This preprocessor will watch traffic for
# polymorphic NOP-type sleds to defeat tools like ADMutate. The Fnord
detector # uses Generator ID 114 and the following SIDs:
# SID Event description
# ----- -------------------
# 1 NOP-sled detected
# preprocessor fnord
# Conversation
#------------------------------------------
# This preprocessor tracks conversations for tcp, udp and icmp traffic.
It # is a prerequisite for running portscan2. # # allowed_ip_protcols 1
6 17
# list of allowed ip protcols ( defaults to any )
#
# timeout [num]
# conversation timeout ( defaults to 60 )
#
#
# max_conversations [num]
# number of conversations to support at once (defaults to 65335)
#
#
# alert_odd_protocols
# alert on protocols not listed in allowed_ip_protocols
preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000
# Portscan2
#-------------------------------------------
# Portscan 2, detect portscans in a new and exciting way.
#
# Available options:
# scanners_max [num]
# targets_max [num]
# target_limit [num]
# port_limit [num]
# timeout [num]
# log [logdir]
# preprocessor portscan2: scanners_max 3200, targets_max 5000,
target_limit 5, port_limit 20, timeout 60
# Experimental Perf stats
# -----------------------
# No docs. Highly subject to change.
#
# preprocessor perfmonitor: console flow events time 10
####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use. #
General configuration for output plugins is of the form: # # output
<name_of_plugin>: <configuration_options> # # alert_syslog: log alerts
to syslog # ----------------------------------
# Use one or more syslog facilities as arguments
#
# output alert_syslog: LOG_AUTH LOG_ALERT
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring #
and using this plugin.
# output database: log, mysql, user=snort password=joaquisouza
dbname=snort host=localhost
output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort # output
database: log, mssql, dbname=snort user=snort password=test
# xml: xml logging
# ----------------
# See the README.xml file for more information about configuring # and
using this plugin. # # output xml: log, file=/var/log/snortxml
# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging # and
generating alerts from Snort, the "unified" format. The # unified
format is a straight binary format for logging data
# out of Snort that is designed to be fast and efficient. Used # with
barnyard (the new alert/log processor), most of the overhead # for
logging and alerting to various slow storage mechanisms # such as
databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
# filename - base filename to write to (current time_t is appended)
# limit - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
# trap_snmp: SNMP alerting for Snort
# -------------------------------------------------------------
# Read the README.SNMP file for more information on enabling and using
this # plug-in. # #
#The trap_snmp plugin accepts the following notification options #
[c],[p[m|s]] # where,
# c : Generate compact notifications. (Saves on bandwidth by
# not reporting MOs for which values are unknown, not
# available or, not applicable). By default this option is
reset.
# p : Generate a print of the invariant part of the offending
packet.
# This can be used to track the packet across the Internet.
# By default this option is reset.
# m : Use the MD5 algorithm to generate the packet print.
# By default this algorithm is used.
# s : Use the SHA1 algorithm to generate the packet print.
#
# The trap_snmp plugin requires several parameters
# The parameters depend on the SNMP version that is used (specified) #
For the SNMPv2c case the parameters will be as follows # alert,
<sensorID>, [NotificationOptions] , {trap|inform}
# -v <SnmpVersion> [-p <portNumber>] -c <community> <hostName>
#
# For SNMPv2c traps to the standard snmpTrap port# 162 with
# MD5-digest based packetPrint generation
#
# output trap_snmp: alert, 7, cpm, trap -v 2c -c myCommunity
myTrapListener
#
# For SNMPv2c informs with the 'compact' notification option to port 999
# # output trap_snmp: alert, 7, c, inform -v 2c -p 999 -c myCommunity
myTrapListener
#
#
# For SNMPv3 traps with
# security name = snortUser
# security level = authentication and privacy
# authentication parameters :
# authentication protocol = SHA ,
# authentication pass phrase = SnortAuthPassword
# privacy (encryption) parameters
# privacy protocol = DES,
# privacy pass phrase = SnortPrivPassword
#
#output trap_snmp: alert, 7, trap -v 3 -u snortUser -l authPriv -a SHA
-A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener #For
SNMPv3 informs with authentication and encryption to myTrapListener
#on port 999
#output trap_snmp: alert, 7, inform -v 3 -p 999 -u snortUser -l authPriv
-a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
# You can optionally define new rule types and associate one or
# more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump. #
ruletype suspicious # {
# type log
# output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC
Server";) # # This example will create a rule type that will log to
syslog # and a mysql database. # ruletype redalert # {
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE
# redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being
LEET"; \
# flags:A+;)
#
# Include classification & priority settings
#
include classification.config
#
# Include reference systems
#
include reference.config
####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org # # The
snort web site has documentation about how to write your own
# custom snort rules.
#
# The rules included with this distribution generate alerts based on #
on suspicious activity. Depending on your network environment, your #
security policies, and what you consider to be suspicious, some of #
these rules may either generate false positives ore may be detecting #
activity you consider to be acceptable; therefore, you are # encouraged
to comment out rules that are not applicable in your # environment. # #
Note that using all of the rules at the same time may lead to # serious
packet loss on slower machines. YMMV, use with caution, # standard
disclaimers apply. :) # # The following individuals contributed many of
rules in this # distribution. # # Credits:
# Ron Gula <rgula () securitywizards com> of Network Security Wizards
# Max Vision <vision () whitehats com>
# Martin Markgraf <martin () mail du gtn com>
# Fyodor Yarochkin <fygrave () tigerteam net>
# Nick Rogness <nick () rapidnet com>
# Jim Forster <jforster () rapidnet com>
# Scott McIntyre <scott () whoi edu>
# Tom Vandepoel <Tom.Vandepoel () ubizen com>
# Brian Caswell <bmc () snort org>
# Zeno <admin () cgisecurity com>
# Ryan Russell <ryan () securityfocus com>
#
#=========================================
# Include all relevant rulesets here
#
# shellcode, policy, info, backdoor, and virus rulesets are
# disabled by default. These require tuning and maintance.
# Please read the included specific file for more information.
#=========================================
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
[**] [1:729:3] Virus - Possible scr Worm [**]
[Classification: Misc activity] [Priority: 3]
06/06-11:03:12.272287 200.230.22.5:110 -> 200.122.34.55:14387 TCP
TTL:119 TOS:0x0 ID:52057 IpLen:20 DgmLen:411 DF
***AP*** Seq: 0xD159CF99 Ack: 0xD3F3D993 Win: 0xFC05 TcpLen: 20
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 200.122.34.132
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
06/07-02:17:53.414748
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-02:17:56.111341
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 38
connections across 1 hosts: TCP(38), UDP(0) [**] 06/07-02:18:00.008500
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-02:18:04.170192
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 69
connections across 1 hosts: TCP(69), UDP(0) [**] 06/07-02:18:08.008897
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-02:18:12.194667
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 66
connections across 1 hosts: TCP(66), UDP(0) [**] 06/07-02:18:16.012419
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 75
connections across 1 hosts: TCP(75), UDP(0) [**] 06/07-02:18:20.171640
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 75
connections across 1 hosts: TCP(75), UDP(0) [**] 06/07-02:18:24.062879
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-02:18:28.224130
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 68
connections across 1 hosts: TCP(68), UDP(0) [**] 06/07-02:18:32.063113
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 72
connections across 1 hosts: TCP(72), UDP(0) [**] 06/07-02:18:36.124981
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 78
connections across 1 hosts: TCP(78), UDP(0) [**] 06/07-02:18:40.010413
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 83
connections across 1 hosts: TCP(83), UDP(0) [**] 06/07-02:18:44.124928
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 82
connections across 1 hosts: TCP(82), UDP(0) [**] 06/07-02:18:48.006406
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 83
connections across 1 hosts: TCP(83), UDP(0) [**] 06/07-02:18:52.124844
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 79
connections across 1 hosts: TCP(79), UDP(0) [**] 06/07-02:18:56.116191
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 82
connections across 1 hosts: TCP(82), UDP(0) [**] 06/07-02:19:00.263616
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 86
connections across 1 hosts: TCP(86), UDP(0) [**] 06/07-02:19:04.296331
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 85
connections across 1 hosts: TCP(85), UDP(0) [**] 06/07-02:19:08.008598
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 89
connections across 1 hosts: TCP(89), UDP(0) [**] 06/07-02:19:12.057679
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 96
connections across 1 hosts: TCP(96), UDP(0) [**] 06/07-02:19:16.016833
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 38
connections across 1 hosts: TCP(38), UDP(0) [**] 06/07-02:32:59.606604
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 1
connections across 1 hosts: TCP(1), UDP(0) [**] 06/07-02:33:54.571344
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-02:33:58.110521
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-02:34:02.117164
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 62
connections across 1 hosts: TCP(62), UDP(0) [**] 06/07-02:34:06.112425
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 67
connections across 1 hosts: TCP(67), UDP(0) [**] 06/07-02:34:10.119811
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 71
connections across 1 hosts: TCP(71), UDP(0) [**] 06/07-02:34:14.113579
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 75
connections across 1 hosts: TCP(75), UDP(0) [**] 06/07-02:34:18.008001
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-02:34:22.003818
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-02:34:26.253685
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-02:34:30.007260
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 79
connections across 1 hosts: TCP(79), UDP(0) [**] 06/07-02:34:34.124812
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 81
connections across 1 hosts: TCP(81), UDP(0) [**] 06/07-02:34:38.046735
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 87
connections across 1 hosts: TCP(87), UDP(0) [**] 06/07-02:34:42.019648
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 89
connections across 1 hosts: TCP(89), UDP(0) [**] 06/07-02:34:46.177958
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 82
connections across 1 hosts: TCP(82), UDP(0) [**] 06/07-02:34:50.009318
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 97
connections across 1 hosts: TCP(97), UDP(0) [**] 06/07-02:34:54.168120
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 91
connections across 1 hosts: TCP(91), UDP(0) [**] 06/07-02:34:58.208689
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 94
connections across 1 hosts: TCP(94), UDP(0) [**] 06/07-02:35:02.202012
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 90
connections across 1 hosts: TCP(90), UDP(0) [**] 06/07-02:35:06.050758
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 103
connections across 1 hosts: TCP(103), UDP(0) [**] 06/07-02:35:10.006735
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 98
connections across 1 hosts: TCP(98), UDP(0) [**] 06/07-02:35:14.216961
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 104
connections across 1 hosts: TCP(104), UDP(0) [**] 06/07-02:35:18.052988
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 44
connections across 1 hosts: TCP(44), UDP(0) [**] 06/07-02:35:22.210937
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 69
connections across 1 hosts: TCP(69), UDP(0) [**] 06/07-02:35:26.050301
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-02:35:30.212187
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 63
connections across 1 hosts: TCP(63), UDP(0) [**] 06/07-02:35:34.052286
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 66
connections across 1 hosts: TCP(66), UDP(0) [**] 06/07-02:35:38.052805
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 77
connections across 1 hosts: TCP(77), UDP(0) [**] 06/07-02:35:42.214618
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-02:35:46.055068
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-02:35:50.102583
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 79
connections across 1 hosts: TCP(79), UDP(0) [**] 06/07-02:35:54.164910
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 82
connections across 1 hosts: TCP(82), UDP(0) [**] 06/07-02:35:58.006510
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 83
connections across 1 hosts: TCP(83), UDP(0) [**] 06/07-02:36:02.157913
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 73
connections across 1 hosts: TCP(73), UDP(0) [**] 06/07-02:36:06.009244
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 84
connections across 1 hosts: TCP(84), UDP(0) [**] 06/07-02:36:10.156913
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 88
connections across 1 hosts: TCP(88), UDP(0) [**] 06/07-02:36:14.011106
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 86
connections across 1 hosts: TCP(86), UDP(0) [**] 06/07-02:36:18.157196
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 77
connections across 1 hosts: TCP(77), UDP(0) [**] 06/07-02:36:22.205950
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 77
connections across 1 hosts: TCP(77), UDP(0) [**] 06/07-02:36:26.008708
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 81
connections across 1 hosts: TCP(81), UDP(0) [**] 06/07-02:36:30.229690
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 85
connections across 1 hosts: TCP(85), UDP(0) [**] 06/07-02:36:34.057838
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 95
connections across 1 hosts: TCP(95), UDP(0) [**] 06/07-02:36:38.220935
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 95
connections across 1 hosts: TCP(95), UDP(0) [**] 06/07-02:36:42.058920
[**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection [**]
06/07-02:36:45.622487 200.122.34.132:43035 -> 200.122.34.55:21 TCP
TTL:45 TOS:0x0 ID:58018 IpLen:20 DgmLen:60
***A**** Seq: 0xCFC017EE Ack: 0x0 Win: 0x400 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection
[**] 06/07-02:36:45.641925 200.122.34.132:43038 -> 200.122.34.55:83 TCP
TTL:45 TOS:0x0 ID:65134 IpLen:20 DgmLen:60 **U*P**F Seq: 0xCFC017EE
Ack: 0x0 Win: 0x400 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10
NOP MSS: 265 TS: 1061109567 0 EOL
[**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**]
06/07-02:36:47.508223 200.122.34.132:43033 -> 200.122.34.55:21 TCP
TTL:45 TOS:0x0 ID:32656 IpLen:20 DgmLen:60
******** Seq: 0xCFC017EE Ack: 0x0 Win: 0x400 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 84
connections across 1 hosts: TCP(84), UDP(0) STEALTH [**]
06/07-02:36:47.539193
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 1
connections across 1 hosts: TCP(1), UDP(0) [**] 06/07-02:36:52.607394
[**] [100:3:1] spp_portscan: End of portscan from 200.122.34.132: TOTAL
time(1140s) hosts(1) TCP(4992) UDP(0) STEALTH [**] 06/07-02:46:37.573742
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 200.122.34.132
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
06/07-03:10:13.569239
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 41
connections across 1 hosts: TCP(41), UDP(0) [**] 06/07-03:10:17.253173
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 56
connections across 1 hosts: TCP(56), UDP(0) [**] 06/07-03:10:21.186624
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 68
connections across 1 hosts: TCP(68), UDP(0) [**] 06/07-03:10:25.030899
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 74
connections across 1 hosts: TCP(74), UDP(0) [**] 06/07-03:10:29.188928
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 66
connections across 1 hosts: TCP(66), UDP(0) [**] 06/07-03:10:33.027975
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-03:10:37.188055
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 74
connections across 1 hosts: TCP(74), UDP(0) [**] 06/07-03:10:41.028573
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-03:10:45.069472
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 80
connections across 1 hosts: TCP(80), UDP(0) [**] 06/07-03:10:49.806378
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 80
connections across 1 hosts: TCP(80), UDP(0) [**] 06/07-03:10:53.006414
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 75
connections across 1 hosts: TCP(75), UDP(0) [**] 06/07-03:10:57.015416
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 80
connections across 1 hosts: TCP(80), UDP(0) [**] 06/07-03:11:01.114903
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 83
connections across 1 hosts: TCP(83), UDP(0) [**] 06/07-03:11:05.005238
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 88
connections across 1 hosts: TCP(88), UDP(0) [**] 06/07-03:11:09.132516
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 88
connections across 1 hosts: TCP(88), UDP(0) [**] 06/07-03:11:13.005708
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 88
connections across 1 hosts: TCP(88), UDP(0) [**] 06/07-03:11:17.132821
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 89
connections across 1 hosts: TCP(89), UDP(0) [**] 06/07-03:11:21.009706
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 95
connections across 1 hosts: TCP(95), UDP(0) [**] 06/07-03:11:25.750762
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 69
connections across 1 hosts: TCP(69), UDP(0) [**] 06/07-03:11:29.149119
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 14
connections across 1 hosts: TCP(14), UDP(0) [**] 06/07-03:11:33.004984
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 19
connections across 1 hosts: TCP(19), UDP(0) [**] 06/07-03:11:37.400894
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 21
connections across 1 hosts: TCP(21), UDP(0) [**] 06/07-03:11:41.806012
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 18
connections across 1 hosts: TCP(18), UDP(0) [**] 06/07-03:11:45.051932
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 28
connections across 1 hosts: TCP(28), UDP(0) [**] 06/07-03:11:49.003250
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 27
connections across 1 hosts: TCP(27), UDP(0) [**] 06/07-03:11:53.374486
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 33
connections across 1 hosts: TCP(33), UDP(0) [**] 06/07-03:11:57.555974
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 42
connections across 1 hosts: TCP(42), UDP(0) [**] 06/07-03:12:01.491847
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 37
connections across 1 hosts: TCP(37), UDP(0) [**] 06/07-03:12:05.231818
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 33
connections across 1 hosts: TCP(33), UDP(0) [**] 06/07-03:12:09.254466
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 39
connections across 1 hosts: TCP(39), UDP(0) [**] 06/07-03:12:13.286774
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 37
connections across 1 hosts: TCP(37), UDP(0) [**] 06/07-03:12:17.009276
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 44
connections across 1 hosts: TCP(44), UDP(0) [**] 06/07-03:12:21.456380
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-03:12:25.377359
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-03:12:29.295635
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-03:12:33.215047
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 42
connections across 1 hosts: TCP(42), UDP(0) [**] 06/07-03:12:37.137332
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-03:12:41.055556
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 46
connections across 1 hosts: TCP(46), UDP(0) [**] 06/07-03:12:45.010348
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 53
connections across 1 hosts: TCP(53), UDP(0) [**] 06/07-03:12:49.457314
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 46
connections across 1 hosts: TCP(46), UDP(0) [**] 06/07-03:12:53.379299
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-03:12:57.298245
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 48
connections across 1 hosts: TCP(48), UDP(0) [**] 06/07-03:13:01.221161
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-03:13:05.139866
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-03:13:09.061694
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-03:13:13.007999
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 58
connections across 1 hosts: TCP(58), UDP(0) [**] 06/07-03:13:17.477924
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 52
connections across 1 hosts: TCP(52), UDP(0) [**] 06/07-03:13:21.381506
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-03:13:25.300286
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-03:13:29.222858
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-03:13:33.008591
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-03:13:37.323501
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-03:13:41.244973
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-03:13:45.733891
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 58
connections across 1 hosts: TCP(58), UDP(0) [**] 06/07-03:13:49.395492
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-03:13:53.317060
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-03:13:57.235512
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-03:14:01.426643
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-03:14:05.348726
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-03:14:09.267127
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 63
connections across 1 hosts: TCP(63), UDP(0) [**] 06/07-03:14:13.186363
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 63
connections across 1 hosts: TCP(63), UDP(0) [**] 06/07-03:14:17.114910
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 63
connections across 1 hosts: TCP(63), UDP(0) [**] 06/07-03:14:21.028508
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 61
connections across 1 hosts: TCP(61), UDP(0) [**] 06/07-03:14:25.370970
[**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection [**]
06/07-03:14:27.092771 200.122.34.132:34749 -> 200.122.34.55:21 TCP
TTL:41 TOS:0x0 ID:30110 IpLen:20 DgmLen:60
***A**** Seq: 0x6AC4BA65 Ack: 0x0 Win: 0x400 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection
[**] 06/07-03:14:27.136988 200.122.34.132:34752 -> 200.122.34.55:83 TCP
TTL:41 TOS:0x0 ID:29674 IpLen:20 DgmLen:60 **U*P**F Seq: 0x6AC4BA65
Ack: 0x0 Win: 0x400 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10
NOP MSS: 265 TS: 1061109567 0 EOL
[**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**]
06/07-03:14:30.015854 200.122.34.132:34747 -> 200.122.34.55:21 TCP
TTL:41 TOS:0x0 ID:15819 IpLen:20 DgmLen:60
******** Seq: 0x6AC4BA65 Ack: 0x0 Win: 0x400 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 30
connections across 1 hosts: TCP(30), UDP(0) STEALTH [**]
06/07-03:14:30.042118
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 1
connections across 1 hosts: TCP(1), UDP(0) [**] 06/07-03:14:34.300280
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 1
connections across 1 hosts: TCP(1), UDP(0) [**] 06/07-03:32:48.124280
[**] [100:3:1] spp_portscan: End of portscan from 200.122.34.132: TOTAL
time(262s) hosts(1) TCP(3505) UDP(0) STEALTH [**] 06/07-03:42:07.346519
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 200.122.34.132
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
06/07-03:55:30.557498
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-03:55:34.128833
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-03:55:38.039049
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 61
connections across 1 hosts: TCP(61), UDP(0) [**] 06/07-03:55:44.147611
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 30
connections across 1 hosts: TCP(30), UDP(0) [**] 06/07-03:55:46.357942
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 74
connections across 1 hosts: TCP(74), UDP(0) [**] 06/07-03:55:50.219785
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 36
connections across 1 hosts: TCP(36), UDP(0) [**] 06/07-03:55:54.061439
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 41
connections across 1 hosts: TCP(41), UDP(0) [**] 06/07-03:55:58.204038
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 41
connections across 1 hosts: TCP(41), UDP(0) [**] 06/07-03:56:02.043157
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 45
connections across 1 hosts: TCP(45), UDP(0) [**] 06/07-03:56:06.301930
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-03:56:10.141646
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-03:56:14.006079
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 54
connections across 1 hosts: TCP(54), UDP(0) [**] 06/07-03:56:18.120364
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-03:56:22.263296
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-03:56:26.105712
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 61
connections across 1 hosts: TCP(61), UDP(0) [**] 06/07-03:56:30.264034
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 62
connections across 1 hosts: TCP(62), UDP(0) [**] 06/07-03:56:34.186480
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 64
connections across 1 hosts: TCP(64), UDP(0) [**] 06/07-03:56:38.133533
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 69
connections across 1 hosts: TCP(69), UDP(0) [**] 06/07-03:56:42.184978
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-03:56:46.039687
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-03:56:50.185890
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-03:56:54.028248
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 78
connections across 1 hosts: TCP(78), UDP(0) [**] 06/07-03:56:58.328616
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 71
connections across 1 hosts: TCP(71), UDP(0) [**] 06/07-03:57:02.118710
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 77
connections across 1 hosts: TCP(77), UDP(0) [**] 06/07-03:57:06.210299
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 62
connections across 1 hosts: TCP(62), UDP(0) [**] 06/07-03:57:10.169188
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 67
connections across 1 hosts: TCP(67), UDP(0) [**] 06/07-03:57:14.289748
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 69
connections across 1 hosts: TCP(69), UDP(0) [**] 06/07-03:57:18.301890
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-03:57:22.299407
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 41
connections across 1 hosts: TCP(41), UDP(0) [**] 06/07-03:57:26.220007
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-03:57:30.019558
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-03:57:34.201372
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-03:57:38.008588
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 61
connections across 1 hosts: TCP(61), UDP(0) [**] 06/07-03:57:42.182676
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 53
connections across 1 hosts: TCP(53), UDP(0) [**] 06/07-03:57:46.081118
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 66
connections across 1 hosts: TCP(66), UDP(0) [**] 06/07-03:57:50.261249
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 44
connections across 1 hosts: TCP(44), UDP(0) [**] 06/07-03:57:54.929321
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 66
connections across 1 hosts: TCP(66), UDP(0) [**] 06/07-03:57:58.441526
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-03:58:02.183739
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 61
connections across 1 hosts: TCP(61), UDP(0) [**] 06/07-03:58:06.006266
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 71
connections across 1 hosts: TCP(71), UDP(0) [**] 06/07-03:58:10.214419
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-03:58:14.010470
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 64
connections across 1 hosts: TCP(64), UDP(0) [**] 06/07-03:58:18.015950
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 75
connections across 1 hosts: TCP(75), UDP(0) [**] 06/07-03:58:22.008278
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 74
connections across 1 hosts: TCP(74), UDP(0) [**] 06/07-03:58:26.169675
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 65
connections across 1 hosts: TCP(65), UDP(0) [**] 06/07-03:58:30.107521
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 66
connections across 1 hosts: TCP(66), UDP(0) [**] 06/07-03:58:34.089567
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 69
connections across 1 hosts: TCP(69), UDP(0) [**] 06/07-03:58:38.087761
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 72
connections across 1 hosts: TCP(72), UDP(0) [**] 06/07-03:58:42.089028
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-03:58:46.271008
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 71
connections across 1 hosts: TCP(71), UDP(0) [**] 06/07-03:58:50.283850
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 72
connections across 1 hosts: TCP(72), UDP(0) [**] 06/07-03:58:54.259949
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 72
connections across 1 hosts: TCP(72), UDP(0) [**] 06/07-03:58:58.252584
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 74
connections across 1 hosts: TCP(74), UDP(0) [**] 06/07-03:59:02.250365
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 74
connections across 1 hosts: TCP(74), UDP(0) [**] 06/07-03:59:06.142800
[**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection [**]
06/07-03:59:07.745837 200.122.34.132:60995 -> 200.122.34.55:21 TCP
TTL:50 TOS:0x0 ID:62837 IpLen:20 DgmLen:60
***A**** Seq: 0x14B54B78 Ack: 0x0 Win: 0x800 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection
[**] 06/07-03:59:07.758686 200.122.34.132:60998 -> 200.122.34.55:83 TCP
TTL:50 TOS:0x0 ID:4744 IpLen:20 DgmLen:60 **U*P**F Seq: 0x14B54B78 Ack:
0x0 Win: 0x800 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10 NOP
MSS: 265 TS: 1061109567 0 EOL
[**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**]
06/07-03:59:09.767140 200.122.34.132:60993 -> 200.122.34.55:21 TCP
TTL:50 TOS:0x0 ID:1443 IpLen:20 DgmLen:60
******** Seq: 0x14B54B78 Ack: 0x0 Win: 0x800 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 32
connections across 1 hosts: TCP(32), UDP(0) STEALTH [**]
06/07-03:59:12.142408
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 1
connections across 1 hosts: TCP(1), UDP(0) [**] 06/07-04:01:46.884385
[**] [100:3:1] spp_portscan: End of portscan from 200.122.34.132: TOTAL
time(223s) hosts(1) TCP(3368) UDP(0) STEALTH [**] 06/07-04:05:06.453261
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 200.47.143.63
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
06/07-15:34:26.579319
[**] [100:2:1] spp_portscan: portscan status from 200.47.143.63: 7
connections across 1 hosts: TCP(7), UDP(0) [**] 06/07-15:34:35.429394
[**] [100:2:1] spp_portscan: portscan status from 200.47.143.63: 1
connections across 1 hosts: TCP(1), UDP(0) [**] 06/07-15:34:53.580910
[**] [100:3:1] spp_portscan: End of portscan from 200.47.143.63: TOTAL
time(9s) hosts(1) TCP(8) UDP(0) [**] 06/07-15:34:59.632138
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 200.122.34.132
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
06/07-18:46:47.584609
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-18:46:51.280494
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 50
connections across 1 hosts: TCP(50), UDP(0) [**] 06/07-18:46:55.892620
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-18:46:59.097038
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 64
connections across 1 hosts: TCP(64), UDP(0) [**] 06/07-18:47:03.094416
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-18:47:07.255018
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 71
connections across 1 hosts: TCP(71), UDP(0) [**] 06/07-18:47:11.005788
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 64
connections across 1 hosts: TCP(64), UDP(0) [**] 06/07-18:47:15.225808
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 68
connections across 1 hosts: TCP(68), UDP(0) [**] 06/07-18:47:19.010784
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 81
connections across 1 hosts: TCP(81), UDP(0) [**] 06/07-18:47:23.180575
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-18:47:27.005539
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 79
connections across 1 hosts: TCP(79), UDP(0) [**] 06/07-18:47:31.006169
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 90
connections across 1 hosts: TCP(90), UDP(0) [**] 06/07-18:47:35.249389
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 86
connections across 1 hosts: TCP(86), UDP(0) [**] 06/07-18:47:39.007849
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 91
connections across 1 hosts: TCP(91), UDP(0) [**] 06/07-18:47:43.009378
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 94
connections across 1 hosts: TCP(94), UDP(0) [**] 06/07-18:47:47.112158
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 95
connections across 1 hosts: TCP(95), UDP(0) [**] 06/07-18:47:51.011428
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 95
connections across 1 hosts: TCP(95), UDP(0) [**] 06/07-18:47:55.111879
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 99
connections across 1 hosts: TCP(99), UDP(0) [**] 06/07-18:47:59.010781
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 101
connections across 1 hosts: TCP(101), UDP(0) [**] 06/07-18:48:03.111560
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 100
connections across 1 hosts: TCP(100), UDP(0) [**] 06/07-18:48:07.103841
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 103
connections across 1 hosts: TCP(103), UDP(0) [**] 06/07-18:48:11.040559
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-18:48:15.062948
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-18:48:19.225296
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 61
connections across 1 hosts: TCP(61), UDP(0) [**] 06/07-18:48:23.054529
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 71
connections across 1 hosts: TCP(71), UDP(0) [**] 06/07-18:48:27.194163
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 75
connections across 1 hosts: TCP(75), UDP(0) [**] 06/07-18:48:31.034848
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-18:48:35.196272
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 66
connections across 1 hosts: TCP(66), UDP(0) [**] 06/07-18:48:39.035881
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-18:48:43.194876
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 79
connections across 1 hosts: TCP(79), UDP(0) [**] 06/07-18:48:47.087669
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 83
connections across 1 hosts: TCP(83), UDP(0) [**] 06/07-18:48:51.204337
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 72
connections across 1 hosts: TCP(72), UDP(0) [**] 06/07-18:48:55.037578
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 71
connections across 1 hosts: TCP(71), UDP(0) [**] 06/07-18:48:59.085322
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 83
connections across 1 hosts: TCP(83), UDP(0) [**] 06/07-18:49:03.256125
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 88
connections across 1 hosts: TCP(88), UDP(0) [**] 06/07-18:49:07.091322
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 90
connections across 1 hosts: TCP(90), UDP(0) [**] 06/07-18:49:11.010765
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 80
connections across 1 hosts: TCP(80), UDP(0) [**] 06/07-18:49:15.090080
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 78
connections across 1 hosts: TCP(78), UDP(0) [**] 06/07-18:49:19.122120
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 81
connections across 1 hosts: TCP(81), UDP(0) [**] 06/07-18:49:23.101107
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 94
connections across 1 hosts: TCP(94), UDP(0) [**] 06/07-18:49:27.005777
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 95
connections across 1 hosts: TCP(95), UDP(0) [**] 06/07-18:49:31.100333
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 82
connections across 1 hosts: TCP(82), UDP(0) [**] 06/07-18:49:35.171298
[**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection [**]
06/07-18:49:37.781630 200.122.34.132:49802 -> 200.122.34.55:21 TCP
TTL:48 TOS:0x0 ID:52848 IpLen:20 DgmLen:60
***A**** Seq: 0xB8FEA898 Ack: 0x0 Win: 0x1000 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection
[**] 06/07-18:49:37.825864 200.122.34.132:49805 -> 200.122.34.55:83 TCP
TTL:48 TOS:0x0 ID:6476 IpLen:20 DgmLen:60 **U*P**F Seq: 0xB8FEA898 Ack:
0x0 Win: 0x1000 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10 NOP
MSS: 265 TS: 1061109567 0 EOL
[**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**]
06/07-18:49:39.690403 200.122.34.132:49800 -> 200.122.34.55:21 TCP
TTL:48 TOS:0x0 ID:25687 IpLen:20 DgmLen:60
******** Seq: 0xB8FEA898 Ack: 0x0 Win: 0x1000 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 58
connections across 1 hosts: TCP(58), UDP(0) STEALTH [**]
06/07-18:49:39.708691
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 1
connections across 1 hosts: TCP(1), UDP(0) [**] 06/07-18:50:08.828488
[**] [100:3:1] spp_portscan: End of portscan from 200.122.34.132: TOTAL
time(175s) hosts(1) TCP(3373) UDP(0) STEALTH [**] 06/07-18:50:12.050358
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 200.122.34.132
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
06/07-19:04:59.467679
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-19:05:03.125075
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-19:05:07.243279
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-19:05:11.082335
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 64
connections across 1 hosts: TCP(64), UDP(0) [**] 06/07-19:05:15.243414
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 65
connections across 1 hosts: TCP(65), UDP(0) [**] 06/07-19:05:19.053734
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-19:05:23.213906
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 75
connections across 1 hosts: TCP(75), UDP(0) [**] 06/07-19:05:27.054661
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 78
connections across 1 hosts: TCP(78), UDP(0) [**] 06/07-19:05:31.204582
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 73
connections across 1 hosts: TCP(73), UDP(0) [**] 06/07-19:05:35.187633
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-19:05:39.146067
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 81
connections across 1 hosts: TCP(81), UDP(0) [**] 06/07-19:05:43.012818
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 88
connections across 1 hosts: TCP(88), UDP(0) [**] 06/07-19:05:47.145797
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 79
connections across 1 hosts: TCP(79), UDP(0) [**] 06/07-19:05:51.079774
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 97
connections across 1 hosts: TCP(97), UDP(0) [**] 06/07-19:05:55.219951
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 89
connections across 1 hosts: TCP(89), UDP(0) [**] 06/07-19:05:59.010362
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 89
connections across 1 hosts: TCP(89), UDP(0) [**] 06/07-19:06:03.039949
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 104
connections across 1 hosts: TCP(104), UDP(0) [**] 06/07-19:06:07.201459
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 93
connections across 1 hosts: TCP(93), UDP(0) [**] 06/07-19:06:11.005582
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 101
connections across 1 hosts: TCP(101), UDP(0) [**] 06/07-19:06:15.113695
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 99
connections across 1 hosts: TCP(99), UDP(0) [**] 06/07-19:06:19.140510
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 105
connections across 1 hosts: TCP(105), UDP(0) [**] 06/07-19:06:23.006246
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-19:06:27.169590
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 61
connections across 1 hosts: TCP(61), UDP(0) [**] 06/07-19:06:31.020257
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-19:06:35.050670
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 72
connections across 1 hosts: TCP(72), UDP(0) [**] 06/07-19:06:39.211781
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-19:06:43.054398
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 75
connections across 1 hosts: TCP(75), UDP(0) [**] 06/07-19:06:47.112382
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 76
connections across 1 hosts: TCP(76), UDP(0) [**] 06/07-19:06:51.008264
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 69
connections across 1 hosts: TCP(69), UDP(0) [**] 06/07-19:06:55.112826
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 69
connections across 1 hosts: TCP(69), UDP(0) [**] 06/07-19:06:59.202084
[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 200.122.34.132
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
06/07-19:07:02.162975
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-19:07:02.183392
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-19:07:02.484343
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 72
connections across 1 hosts: TCP(72), UDP(0) [**] 06/07-19:07:03.018615
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 72
connections across 1 hosts: TCP(72), UDP(0) [**] 06/07-19:07:06.216659
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 83
connections across 1 hosts: TCP(83), UDP(0) [**] 06/07-19:07:07.174519
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 70
connections across 1 hosts: TCP(70), UDP(0) [**] 06/07-19:07:10.006304
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 81
connections across 1 hosts: TCP(81), UDP(0) [**] 06/07-19:07:11.246644
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 77
connections across 1 hosts: TCP(77), UDP(0) [**] 06/07-19:07:14.127919
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 82
connections across 1 hosts: TCP(82), UDP(0) [**] 06/07-19:07:15.103997
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 83
connections across 1 hosts: TCP(83), UDP(0) [**] 06/07-19:07:18.053658
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 89
connections across 1 hosts: TCP(89), UDP(0) [**] 06/07-19:07:19.006104
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 90
connections across 1 hosts: TCP(90), UDP(0) [**] 06/07-19:07:22.128021
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 79
connections across 1 hosts: TCP(79), UDP(0) [**] 06/07-19:07:23.084244
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 89
connections across 1 hosts: TCP(89), UDP(0) [**] 06/07-19:07:26.009111
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 90
connections across 1 hosts: TCP(90), UDP(0) [**] 06/07-19:07:27.245675
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 83
connections across 1 hosts: TCP(83), UDP(0) [**] 06/07-19:07:30.125180
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 89
connections across 1 hosts: TCP(89), UDP(0) [**] 06/07-19:07:31.047224
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 85
connections across 1 hosts: TCP(85), UDP(0) [**] 06/07-19:07:34.009243
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 94
connections across 1 hosts: TCP(94), UDP(0) [**] 06/07-19:07:35.011459
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 323
connections across 1 hosts: TCP(323), UDP(0) [**] 06/07-19:07:38.021060
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 314
connections across 1 hosts: TCP(314), UDP(0) [**] 06/07-19:07:39.453072
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 57
connections across 1 hosts: TCP(57), UDP(0) [**] 06/07-19:07:42.542197
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 30
connections across 1 hosts: TCP(30), UDP(0) [**] 06/07-19:07:43.164239
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 38
connections across 1 hosts: TCP(38), UDP(0) [**] 06/07-19:07:46.265257
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-19:07:47.503893
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 41
connections across 1 hosts: TCP(41), UDP(0) [**] 06/07-19:07:50.005516
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 41
connections across 1 hosts: TCP(41), UDP(0) [**] 06/07-19:07:51.224831
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-19:07:54.325506
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 42
connections across 1 hosts: TCP(42), UDP(0) [**] 06/07-19:07:55.003943
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 34
connections across 1 hosts: TCP(34), UDP(0) [**] 06/07-19:07:58.476315
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 33
connections across 1 hosts: TCP(33), UDP(0) [**] 06/07-19:07:59.099774
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 34
connections across 1 hosts: TCP(34), UDP(0) [**] 06/07-19:08:02.224095
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-19:08:03.454702
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 35
connections across 1 hosts: TCP(35), UDP(0) [**] 06/07-19:08:06.301819
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 34
connections across 1 hosts: TCP(34), UDP(0) [**] 06/07-19:08:07.007122
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 37
connections across 1 hosts: TCP(37), UDP(0) [**] 06/07-19:08:10.047387
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 38
connections across 1 hosts: TCP(38), UDP(0) [**] 06/07-19:08:11.287245
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-19:08:14.387506
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 37
connections across 1 hosts: TCP(37), UDP(0) [**] 06/07-19:08:15.009122
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 45
connections across 1 hosts: TCP(45), UDP(0) [**] 06/07-19:08:18.107346
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-19:08:19.346387
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-19:08:22.450333
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 45
connections across 1 hosts: TCP(45), UDP(0) [**] 06/07-19:08:23.070520
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 39
connections across 1 hosts: TCP(39), UDP(0) [**] 06/07-19:08:26.188681
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 50
connections across 1 hosts: TCP(50), UDP(0) [**] 06/07-19:08:27.429097
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-19:08:30.530020
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-19:08:31.149388
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 49
connections across 1 hosts: TCP(49), UDP(0) [**] 06/07-19:08:34.249743
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-19:08:35.489667
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 48
connections across 1 hosts: TCP(48), UDP(0) [**] 06/07-19:08:38.101062
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 48
connections across 1 hosts: TCP(48), UDP(0) [**] 06/07-19:08:39.471900
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 48
connections across 1 hosts: TCP(48), UDP(0) [**] 06/07-19:08:42.030761
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 50
connections across 1 hosts: TCP(50), UDP(0) [**] 06/07-19:08:43.193430
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 45
connections across 1 hosts: TCP(45), UDP(0) [**] 06/07-19:08:46.293344
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-19:08:47.532818
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-19:08:50.013330
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-19:08:51.253565
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-19:08:54.414653
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-19:08:55.006290
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 52
connections across 1 hosts: TCP(52), UDP(0) [**] 06/07-19:08:58.290793
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 53
connections across 1 hosts: TCP(53), UDP(0) [**] 06/07-19:08:59.532772
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 53
connections across 1 hosts: TCP(53), UDP(0) [**] 06/07-19:09:02.014465
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 53
connections across 1 hosts: TCP(53), UDP(0) [**] 06/07-19:09:03.253924
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-19:09:06.355011
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 53
connections across 1 hosts: TCP(53), UDP(0) [**] 06/07-19:09:07.006488
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 45
connections across 1 hosts: TCP(45), UDP(0) [**] 06/07-19:09:10.075276
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 53
connections across 1 hosts: TCP(53), UDP(0) [**] 06/07-19:09:11.313007
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 48
connections across 1 hosts: TCP(48), UDP(0) [**] 06/07-19:09:14.087166
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 45
connections across 1 hosts: TCP(45), UDP(0) [**] 06/07-19:09:15.224737
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 58
connections across 1 hosts: TCP(58), UDP(0) [**] 06/07-19:09:18.326416
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 54
connections across 1 hosts: TCP(54), UDP(0) [**] 06/07-19:09:19.008267
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 57
connections across 1 hosts: TCP(57), UDP(0) [**] 06/07-19:09:22.046879
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 58
connections across 1 hosts: TCP(58), UDP(0) [**] 06/07-19:09:23.286062
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-19:09:26.386671
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 57
connections across 1 hosts: TCP(57), UDP(0) [**] 06/07-19:09:27.006024
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 45
connections across 1 hosts: TCP(45), UDP(0) [**] 06/07-19:09:30.364157
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 56
connections across 1 hosts: TCP(56), UDP(0) [**] 06/07-19:09:31.009150
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-19:09:34.088324
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 58
connections across 1 hosts: TCP(58), UDP(0) [**] 06/07-19:09:35.333910
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 63
connections across 1 hosts: TCP(63), UDP(0) [**] 06/07-19:09:38.429496
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 49
connections across 1 hosts: TCP(49), UDP(0) [**] 06/07-19:09:39.046973
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 48
connections across 1 hosts: TCP(48), UDP(0) [**] 06/07-19:09:42.149256
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 34
connections across 1 hosts: TCP(34), UDP(0) [**] 06/07-19:09:43.386310
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 31
connections across 1 hosts: TCP(31), UDP(0) [**] 06/07-19:09:46.488161
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 39
connections across 1 hosts: TCP(39), UDP(0) [**] 06/07-19:09:47.106826
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 31
connections across 1 hosts: TCP(31), UDP(0) [**] 06/07-19:09:50.197979
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-19:09:51.437746
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-19:09:54.537487
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 31
connections across 1 hosts: TCP(31), UDP(0) [**] 06/07-19:09:55.158077
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-19:09:58.256780
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 42
connections across 1 hosts: TCP(42), UDP(0) [**] 06/07-19:09:59.505096
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 42
connections across 1 hosts: TCP(42), UDP(0) [**] 06/07-19:10:02.089874
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 42
connections across 1 hosts: TCP(42), UDP(0) [**] 06/07-19:10:03.438482
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-19:10:06.538807
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-19:10:07.192455
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 34
connections across 1 hosts: TCP(34), UDP(0) [**] 06/07-19:10:10.259692
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 44
connections across 1 hosts: TCP(44), UDP(0) [**] 06/07-19:10:11.504978
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 38
connections across 1 hosts: TCP(38), UDP(0) [**] 06/07-19:10:14.006357
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 34
connections across 1 hosts: TCP(34), UDP(0) [**] 06/07-19:10:15.223557
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 46
connections across 1 hosts: TCP(46), UDP(0) [**] 06/07-19:10:18.319009
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 46
connections across 1 hosts: TCP(46), UDP(0) [**] 06/07-19:10:19.018733
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-19:10:22.043838
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 48
connections across 1 hosts: TCP(48), UDP(0) [**] 06/07-19:10:23.283391
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 46
connections across 1 hosts: TCP(46), UDP(0) [**] 06/07-19:10:26.013896
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 46
connections across 1 hosts: TCP(46), UDP(0) [**] 06/07-19:10:27.240816
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-19:10:30.392042
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 47
connections across 1 hosts: TCP(47), UDP(0) [**] 06/07-19:10:31.003833
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 37
connections across 1 hosts: TCP(37), UDP(0) [**] 06/07-19:10:34.100151
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 48
connections across 1 hosts: TCP(48), UDP(0) [**] 06/07-19:10:35.399526
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-19:10:38.444418
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-19:10:39.079853
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-19:10:42.165375
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-19:10:43.623869
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 50
connections across 1 hosts: TCP(50), UDP(0) [**] 06/07-19:10:46.185770
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 50
connections across 1 hosts: TCP(50), UDP(0) [**] 06/07-19:10:47.430167
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 52
connections across 1 hosts: TCP(52), UDP(0) [**] 06/07-19:10:50.528751
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-19:10:51.172239
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 40
connections across 1 hosts: TCP(40), UDP(0) [**] 06/07-19:10:54.251588
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 53
connections across 1 hosts: TCP(53), UDP(0) [**] 06/07-19:10:55.492145
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 49
connections across 1 hosts: TCP(49), UDP(0) [**] 06/07-19:10:58.012013
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-19:10:59.207773
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 51
connections across 1 hosts: TCP(51), UDP(0) [**] 06/07-19:11:02.011670
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 42
connections across 1 hosts: TCP(42), UDP(0) [**] 06/07-19:11:03.194739
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 56
connections across 1 hosts: TCP(56), UDP(0) [**] 06/07-19:11:06.290824
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 56
connections across 1 hosts: TCP(56), UDP(0) [**] 06/07-19:11:07.632323
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-19:11:10.010885
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-19:11:11.253928
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 56
connections across 1 hosts: TCP(56), UDP(0) [**] 06/07-19:11:14.384014
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 55
connections across 1 hosts: TCP(55), UDP(0) [**] 06/07-19:11:15.016696
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 43
connections across 1 hosts: TCP(43), UDP(0) [**] 06/07-19:11:18.073147
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 50
connections across 1 hosts: TCP(50), UDP(0) [**] 06/07-19:11:19.313401
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-19:11:22.412646
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 46
connections across 1 hosts: TCP(46), UDP(0) [**] 06/07-19:11:23.140077
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-19:11:26.130605
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-19:11:27.374069
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-19:11:30.517396
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 59
connections across 1 hosts: TCP(59), UDP(0) [**] 06/07-19:11:31.093003
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 46
connections across 1 hosts: TCP(46), UDP(0) [**] 06/07-19:11:34.226802
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-19:11:35.485081
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-19:11:38.005456
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 46
connections across 1 hosts: TCP(46), UDP(0) [**] 06/07-19:11:39.172272
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-19:11:42.275407
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 60
connections across 1 hosts: TCP(60), UDP(0) [**] 06/07-19:11:43.517105
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 61
connections across 1 hosts: TCP(61), UDP(0) [**] 06/07-19:11:46.136805
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 62
connections across 1 hosts: TCP(62), UDP(0) [**] 06/07-19:11:47.236882
[**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection [**]
[**] [111:12:1] (spp_stream4) NMAP FINGERPRINT (stateful) detection [**]
06/07-19:11:49.107996 200.122.34.132:37445 -> 200.122.34.55:21 TCP
TTL:40 TOS:0x0 ID:24618 IpLen:20 DgmLen:60
***A**** Seq: 0xA24EF40D Ack: 0x0 Win: 0x1000 TcpLen: 40
TCP Options (5) => 06/07-19:11:49.107996 200.122.34.132:37445 ->
200.122.34.55:21 TCP TTL:40 TOS:0x0 ID:24618 IpLen:20 DgmLen:60
***A**** Seq: 0xA24EF40D Ack: 0x0 Win: 0x1000 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
WS: 10
TCP Options => NOP MSS: 265 TS: 1061109567 0 EOL
[**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection
[**] 06/07-19:11:49.129030 200.122.34.132:37448 -> 200.122.34.55:2 TCP
TTL:40 TOS:0x0 ID:4747 IpLen:20 DgmLen:60 **U*P**F Seq: 0xA24EF40D Ack:
0x0 Win: 0x1000 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10 NOP
MSS: 265 TS: 1061109567 0 EOL
[**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection
[**] 06/07-19:11:49.129030 200.122.34.132:37448 -> 200.122.34.55:2 TCP
TTL:40 TOS:0x0 ID:4747 IpLen:20 DgmLen:60 **U*P**F Seq: 0xA24EF40D Ack:
0x0 Win: 0x1000 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10 NOP
MSS: 265 TS: 1061109567 0 EOL
[**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**]
06/07-19:11:52.259791 200.122.34.132:37443 -> 200.122.34.55:21 TCP
TTL:40 TOS:0x0 ID:15165 IpLen:20 DgmLen:60
******** Seq: 0xA24EF40D Ack: 0x0 Win: 0x1000 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**]
06/07-19:11:52.259791 200.122.34.132:37443 -> 200.122.34.55:21 TCP
TTL:40 TOS:0x0 ID:15165 IpLen:20 DgmLen:60
******** Seq: 0xA24EF40D Ack: 0x0 Win: 0x1000 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 25
connections across 1 hosts: TCP(25), UDP(0) STEALTH [**]
06/07-19:11:53.896212
[**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection
[**] 06/07-19:11:52.279219 200.122.34.132:37448 -> 200.122.34.55:2 TCP
TTL:40 TOS:0x0 ID:51359 IpLen:20 DgmLen:60 **U*P**F Seq: 0xA24EF40D
Ack: 0x0 Win: 0x1000 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10
NOP MSS: 265 TS: 1061109567 0 EOL
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 39
connections across 1 hosts: TCP(39), UDP(0) STEALTH [**]
06/07-19:11:54.415460
[**] [111:10:1] (spp_stream4) STEALTH ACTIVITY (XMAS scan) detection
[**] 06/07-19:11:52.279219 200.122.34.132:37448 -> 200.122.34.55:2 TCP
TTL:40 TOS:0x0 ID:51359 IpLen:20 DgmLen:60 **U*P**F Seq: 0xA24EF40D
Ack: 0x0 Win: 0x1000 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10
NOP MSS: 265 TS: 1061109567 0 EOL
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 3
connections across 1 hosts: TCP(3), UDP(0) STEALTH [**]
06/07-19:11:56.010473
[**] [100:2:1] spp_portscan: portscan status from 200.122.34.132: 3
connections across 1 hosts: TCP(3), UDP(0) STEALTH [**]
06/07-19:11:56.011949
[**] [100:3:1] spp_portscan: End of portscan from 200.122.34.132: TOTAL
time(417s) hosts(1) TCP(6327) UDP(0) STEALTH [**] 06/07-19:12:19.482373
[**] [100:3:1] spp_portscan: End of portscan from 200.122.34.132: TOTAL
time(303s) hosts(1) TCP(4076) UDP(0) STEALTH [**] 06/07-19:12:19.521541
Franco Catena
http://www.surson.com.br
tel 011-55390073
cel:82021562
MSN: facdavilla () hotmail com
ICQ: 24755602
[Este email está livre de vírus]
Verificado por AVG Anti-Vírus (http://www.grisoft.com).
Version: 7.0.245 / Virus Database: 263.1.2 - Release Date: 7/6/2004
--
Mensagens enviadas estão livres de vírus.
Verificado por AVG Anti-Vírus (http://www.grisoft.com).
Version: 7.0.250 / Virus Database: 263.1.2 - Release Date: 7/6/2004
-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- Re: Taps, Rx Only Cables & Hubs - Which one(s)? Rich Adamson (Jun 08)
- Re: Taps, Rx Only Cables & Hubs - Which one(s)? Matt Kettler (Jun 08)
- Snort + Guardian + Acid dont run Franco Catena (Jun 09)
- Re: Snort + Guardian + Acid dont run Alejandro Flores (Jun 09)
- Re: Snort + Guardian + Acid dont run pvm (Jun 09)
- Snort + Guardian + Acid dont run Franco Catena (Jun 09)
- <Possible follow-ups>
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- RE: Taps, Rx Only Cables & Hubs - Which one(s)? Mike Walter (Jun 08)