[Intrusions] "Deja Vu", IKE then SMTP connect scan

[Erik Fichtner]

On Fri, Jan 28, 2005 at 06:45:23PM -0500, Patrick Nolan wrote:
> Timing - 3 seconds between Port 500 probe and Port 25 connection. 
> Consistent enough for me. ymmv.

If win32 hosts have IPSec enabled at all, they attempt to
use it when contacting any host, anywhere.   

-- 
Erik Fichtner; Unix Ronin

"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell