[Dshield] TCP Port 17300 scans increased

Johannes Ullrich jullrich at sans.org
Thu Jul 25 21:00:44 GMT 2002


> I'm also not sure what the value of reducing questions like this to the 
> list is.  

I think these postings make sense. Maybe in particular if more details
are shown, as one can already get from the graphs on the site.

Maybe as a suggested (but not mandatory) procedure if you see a surge in
scans:

- check the port report pages to see if its just you or if everybody
  is seeing this.

- try to capture some full packets or other details (depending on skill
  and equipment)

- summarize what you find in your post.

In short: don't just fire off a quick question, but show that you did
some work first.

I agree that we should try to avoid posting yet another Nimda signature.
But if you see a variation, let us know. And explain why you think it is
a variation (e.g., don't just ask 'is this different', but ask 'is this new?
I compared it to the standard signature found at ...')

-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org




More information about the list mailing list