[Dshield] Random source port from my network to port 80 on target network
jsage at finchhaven.com
Thu Oct 30 18:51:48 GMT 2003
On Thu, Oct 30, 2003 at 10:21:48AM -0500, Louis Hablas wrote:
> Exhibit A:
> 2003-10-23 20:49:13 external ip 65186 207.046.197.059 80 6
> 2003-10-23 20:49:48 external ip 65243 207.046.197.059 80 6
> I've noticed a few Dshield entries like these lately and am trying to
> understand what I'm seeing. In this case, the destination IP address is
> Microsoft, so I feel certain the entry relates to Automatic Updates or some
> other report back to the Mother Ship, but I'd appreciate any more
> insight/feedback from the list.
A TCP conversation between your local machine and a remote one (here,
something within in the Microsoft address space) will likely take
place on a port > 1024 on your end.
Granted, here the source ports of 65186 and 65243 are rather toward
the high limit of 65353 (or is it 65535?) but in and of itself that's
not necessarily troubling.
"Most people don't type their own logfiles; but, what do I care?"
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.
More information about the list