[Dshield] Different Nachi/msblast probe pattern?

John Sage jsage at finchhaven.com
Thu Sep 11 14:53:17 GMT 2003


Undoubtedly we're all a little jumpy, but I don't believe I've yet
seen (or just not noticed?) this pattern of combo scan in the recent
go-round.

I've found two, from different hosts, going over just a little of last
night's logs.

>From the same source host, very quickly:

input: snort.log.1063272162
filter: ip and ( src host 12.82.150.84 )
#
I 2003/09/11 02:26:49.482104 12.82.150.84 -> 12.82.136.132 8:0
  03 00 b4 6a aa aa aa aa    aa aa aa aa aa aa aa aa    ...j............
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa                                           ....
#
T 2003/09/11 02:26:49.852144 12.82.150.84:2648 -> 12.82.136.132:135 [S]
#
T 2003/09/11 02:26:50.162198 12.82.150.84:2648 -> 12.82.136.132:135 [A]
#
T 2003/09/11 02:26:50.182208 12.82.150.84:2648 -> 12.82.136.132:135 [AP]
  05 00 0b 03 10 00 00 00    48 00 00 00 7f 00 00 00    ........H.......
  d0 16 d0 16 00 00 00 00    01 00 00 00 01 00 01 00    ................
  a0 01 00 00 00 00 00 00    c0 00 00 00 00 00 00 46    ...............F
  00 00 00 00 04 5d 88 8a    eb 1c c9 11 9f e8 08 00    .....]..........
  2b 10 48 60 02 00 00 00                               +.H`....
#
T 2003/09/11 02:26:50.492267 12.82.150.84:2648 -> 12.82.136.132:135 [A]
#
T 2003/09/11 02:26:50.502231 12.82.150.84:2648 -> 12.82.136.132:135 [AF]
#
U 2003/09/11 02:26:53.092471 12.82.150.84:137 -> 12.82.136.132:137
  86 37 00 00 00 01 00 00    00 00 00 00 20 43 4b 41    .7.......... CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..
#
U 2003/09/11 02:26:54.552620 12.82.150.84:137 -> 12.82.136.132:137
  86 38 00 10 00 01 00 00    00 00 00 00 20 43 4b 41    .8.......... CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..
#
U 2003/09/11 02:26:56.332801 12.82.150.84:137 -> 12.82.136.132:137
  86 39 00 10 00 01 00 00    00 00 00 00 20 43 4b 41    .9.......... CKA
  41 41 41 41 41 41 41 41    41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
  41 41 41 41 41 41 41 41    41 41 41 41 41 00 00 21    AAAAAAAAAAAAA..!
  00 01                                                 ..
#
I 2003/09/11 03:51:32.130537 12.82.150.84 -> 12.82.136.132 8:0
  03 00 d1 5b aa aa aa aa    aa aa aa aa aa aa aa aa    ...[............
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa                                           ....
exit




-- 
"Warning: time of day goes back, taking countermeasures."

Note: The isc at incidents.org email address is an alias for a
 mailing list of approximately 30 volunteer incident handlers.
 You may receive responses from other individuals on that list.
 Please direct all communications to isc at incidents.org, so that
 everyone is kept "in the loop".




More information about the list mailing list