bizzare NULL scan

From: Not Really (messiaenat_private)
Date: Wed May 02 2001 - 04:36:21 PDT

Next message: Meritt James: "What "methods" are being used"

Previous message: Valdis Kletnieks: "Re: Strange Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I do IDS/Security for a university. We have a class B address space, and
a firewall on the internet
pipe.

I've just placed a Snort sensor outside the firewall (we already have a
IDS on the internal side of
the firewall and seen some odd things).

Can anyone explain what the following scan was trying to do? I don't understand
the from port 0 ->
port 0 stuff, or indeed the payload.  I'd think it was a mis-configured
bit of kit, but that netblock
is in Brazil....

All times are British Summer Time (UST +  1).  Snort logs attached.

Arthur



Free, encrypted, secure Web-based email at www.hushmail.com

application/octet-stream attachment: snort-logs

IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages. Get your FREE, totally secure email address at http://www.hushmail.com.

Next message: Meritt James: "What "methods" are being used"
Previous message: Valdis Kletnieks: "Re: Strange Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 02 2001 - 09:10:15 PDT