[Dshield] Random source port from my network to port 80 on ta rget network
Lou.Hablas at rzim.org
Thu Oct 30 19:50:28 GMT 2003
Thanks for the quick reply...I figured as much, but wanted to run by the
list in case I was missing something. In all cases I've see so far, port on
my side is well north of 1024.
From: John Sage [mailto:jsage at finchhaven.com]
Sent: Thursday, October 30, 2003 1:52 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Random source port from my network to port 80 on
On Thu, Oct 30, 2003 at 10:21:48AM -0500, Louis Hablas wrote:
> Exhibit A:
> 2003-10-23 20:49:13 external ip 65186 207.046.197.059 80 6
> 2003-10-23 20:49:48 external ip 65243 207.046.197.059 80 6
> I've noticed a few Dshield entries like these lately and am trying to
> understand what I'm seeing. In this case, the destination IP address is
> Microsoft, so I feel certain the entry relates to Automatic Updates or
> other report back to the Mother Ship, but I'd appreciate any more
> insight/feedback from the list.
A TCP conversation between your local machine and a remote one (here,
something within in the Microsoft address space) will likely take
place on a port > 1024 on your end.
Granted, here the source ports of 65186 and 65243 are rather toward
the high limit of 65353 (or is it 65535?) but in and of itself that's
not necessarily troubling.
"Most people don't type their own logfiles; but, what do I care?"
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
The information contained in this message may be CONFIDENTIAL and is for the
intended addressee only. Any unauthorized use, dissemination of the
information, or copying of this message is prohibited. If you are not the
intended addressee, please notify the sender immediately and delete this
More information about the list