Coordinated HTTP scan (NOT CodeRed or Nimda)?

Kinsey, Robert Robert.Kinsey at Veridian.com
Wed Mar 6 16:42:39 GMT 2002


Glenn,

I would definitely agree that this looks like some type of scanning but
based on the variable structure of the SYN packets it will be hard to pin
down exactly what tool is used.

Nmap among others will provide this kind of scan.  You might want to
consider an alert of inbound to 80 with 1 packet and after only so many hits
from the same source IP.  Based on the scans you saw you might want to set
these at a level that won't flood you with alerts but still keep you
informed about what's happening with your network.

happy hunting,
Rob



More information about the unisog mailing list