On Sun, 20 May 2001, Fabio Bastiglia Oliva wrote: > Anyone here got something like this? > > check these details: > > ######################## > Snort > > #(3 - 7573) [2001-05-20 14:54:41] SCAN synscan portscan > > IPv4: 63.170.232.2 -> 200.xxx.xxx.xxx > hlen=5 TOS=32 dlen=40 ID=39426 flags=0 offset=0 TTL=26 chksum=15737 > TCP: port=21 -> dport: 21 flags=******SF seq=1511872466 > ack=1763444313 off=5 res=0 win=1028 urp=0 chksum=49433 > Payload: none Grepping through my logs, I came across this entry from 5/19: 13:48:37.371260 shikoshin.com.ftp > my.host.ftp: SF 23013211:23013211(0) win 1028 (ttl 13, id 39426) The scanning host was a linux 2.2 box. The signatures are almost identical, perhaps we are seeing the same tool in both instances here? -spaceork "All the time they were creating What has destroyed them, And they fall with the burden They built." -------------------------------- spaceorkat_private http://www.dhp.com/~spaceork
This archive was generated by hypermail 2b30 : Tue May 22 2001 - 16:51:58 PDT