[Dshield] Surge in 445?

David Hart DavidHart at TQMcube.com
Sun Jan 18 23:26:59 GMT 2004


I just took a look at copies of Dshield reports and it looks like a
surge in 445 from nearby IPs. I'm curious. Is there anything I can tell
from the similarities between packets generated from two different IPs.
for example TCP packet options:

Jan 18 16:29:25 mail2 kernel: Firewall: IN=eth1 OUT=
MAC=00:09:5b:22:29:d1:00:06:25:e4:ed:a3:08:00 SRC=151.198.149.39
DST=192.168.0.31 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=34778 DF PROTO=TCP
SPT=3701 DPT=445 SEQ=3174263281 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0
OPT (020405A001010402) 

vs;

Jan 18 16:45:47 mail2 kernel: Firewall: IN=eth1 OUT=
MAC=00:09:5b:22:29:d1:00:06:25:e4:ed:a3:08:00 SRC=151.203.18.148
DST=192.168.0.31 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=25258 DF PROTO=TCP
SPT=3632 DPT=445 SEQ=3350271271 ACK=0 WINDOW=64800 RES=0x00 SYN URGP=0
OPT (020405A001010402) 

                               ---------
            Quality Management - A Commitment to Excellence
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040118/cada9ba1/attachment.bin


More information about the list mailing list