Anybody got an idea of what this might be? I've seen it on a few of my IDS sensors this morning: [**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 4.3400 [**] 12/28-08:06:06.702394 XXX.XXX.X.XX:4513 -> XXX.XX.XXX.XXX:9274 TCP TTL:115 TOS:0x0 ID:14182 IpLen:20 DgmLen:48 DF ******S* Seq: 0x201AC3D4 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK [**] [104:1:1] spp_anomsensor: Anomaly threshold exceeded: 4.2908 [**] 12/28-08:06:09.511201 XXX.XXX.X.XX:4513 -> XXX.XX.XXX.XXX:9274 TCP TTL:115 TOS:0x0 ID:14500 IpLen:20 DgmLen:48 DF ******S* Seq: 0x201AC3D4 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK Quick look around the various sites doesn't seem to indicate much knowledge about a service running on 9274. Source port seems to change for each destination IP, and probes each IP twice about 3 seconds apart. John ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 28 2001 - 10:18:05 PST