Re: CRv2 multiple scans from same source IP

From: Chris Freeze (cfreezeat_private)
Date: Sun Aug 05 2001 - 20:25:08 PDT

Next message: Richard Forno: "Re: What use is the NIPC? / RFF Comments"

Previous message: Chris Freeze: "Re: CRv2 multiple scans from same source IP"
In reply to: Luc Pardon: "Re: CRv2 multiple scans from same source IP"
Next in thread: Chris Freeze: "Re: CRv2 multiple scans from same source IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 6 Aug 2001, Luc Pardon wrote:

>   Maybe this is just three systems behind the same proxy ? Not untypical
> for cable ISP's.

Not that I've seen.  These IP's resolve to hostnames similar @home
personal hostnames.  As an example..

cXXXXXXX-a.nirving1.tx.home.com (and several hosts where XXXXXXX is just
slightly different) show up with double hits in Snort.  It and several
others like it also rescan about every 45 minutes.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Richard Forno: "Re: What use is the NIPC? / RFF Comments"
Previous message: Chris Freeze: "Re: CRv2 multiple scans from same source IP"
In reply to: Luc Pardon: "Re: CRv2 multiple scans from same source IP"
Next in thread: Chris Freeze: "Re: CRv2 multiple scans from same source IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 20:53:48 PDT