Coordinated HTTP scan (NOT CodeRed or Nimda)?

Kinsey, Robert Robert.Kinsey at
Wed Mar 6 16:42:39 GMT 2002


I would definitely agree that this looks like some type of scanning but
based on the variable structure of the SYN packets it will be hard to pin
down exactly what tool is used.

Nmap among others will provide this kind of scan.  You might want to
consider an alert of inbound to 80 with 1 packet and after only so many hits
from the same source IP.  Based on the scans you saw you might want to set
these at a level that won't flood you with alerts but still keep you
informed about what's happening with your network.

happy hunting,

More information about the unisog mailing list