Dries Kimpe <[EMAIL PROTECTED]> writes: > Today, I saw in the snort logs the following: > (removed ip & date to get it in 78-col format) > > 193.189.224.13:21 -> ip:58153 UNKNOWN *2*A**S* RESERVEDBITS > 193.189.224.13:42940 -> ip:113 SYN 12****S* RESERVEDBITS > 193.189.224.13:42941 -> ip:58154 UNKNOWN *2*A**S* RESERVEDBITS [snip] > 193.189.224.13:42967 -> ip:58177 UNKNOWN *2*A**S* RESERVEDBITS > 193.189.224.13:21 -> ip:58180 UNKNOWN *2*A**S* RESERVEDBITS > 193.189.224.13:43074 -> ip:113 SYN 12****S* RESERVEDBITS > 143.169.4.111:22 -> ip:22 SYNFIN ******SF > 143.169.4.111:4614 -> ip:22 SYN ******S* > > Is this a so-called ftp-bounce scan? Because it starts every time with a > connection from port 21, en next to a bunch of connections on higher > ports. These came in bursts, each time for about one minute or so.
Looks like FTP to me, full-stop. It's just that you've not sorted out your snort rules to cope with ECN yet, have you? ~Tim -- Tell me where oh where has summer gone | [EMAIL PROTECTED] It hasn't come this year | http://piglet.is.dreaming.org You always cry when swallows fly | With doubts in search of dreams | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
