----- Original Message ----- From: Philip S Tellis philip.tellis@iname.com To: linuxers@mm.ilug-bom.org.in Sent: Sunday, December 30, 2001 12:34 AM Subject: Re: [ILUG-BOM] [sec] scanning signs
Sometime on Dec 29, kishor bhagwat assembled some asciibets to say:
this is a malicious attempt-not innocent at all!! hint:same destination and source ports...
Only in the case of SPT, DPT 22, 111. Others have seemingly random
SPT
You've got connect attempts (SYN packets) on ports 21, 22, 25, 111 (ftp, ssh, smtp, portmapper/sunrpc).
My guess is that someone is looking to see if you (or anyone on the network (broadcast address)) have these services running. Can't
tell if
they're just probing for running services, of if they're actually looking for exploits. All I know is that all of the above have
known
vulnerabilities and exploits.
ok..look what snort picked up from the network.!!a nice little custom-made IP fragment.. somebody on my network is really active eh?!!!
have we got him/her?!! || 12/29-20:21:16.941716 0:80:AD:7F:16:46 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x6E 0.1.0.1 -> 0.1.0.1 CHAOS TTL:172 TOS:0x0 ID:28851 IpLen:20 DgmLen:96 DF Frag Offset: 0x13C2 Frag Size: 0x4C 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 00 ............... 00 01 00 03 00 01 00 32 00 01 00 AF 00 01 00 FF .......2........ 00 01 00 65 00 01 01 CB 01 01 01 4A 01 01 00 FC ...e.......J.... 00 01 00 A8 00 01 00 AC 00 01 00 AA 00 01 00 80 ................ 00 01 00 46 00 01 00 02 00 01 01 00 ...F........
I'm also wondering about the role of snort and iptables. Where exactly does snort hook into the netfilter mechanism?(does it hook into it first of all?) Does snort receive packets after iptables is thru with them? is it simultaneous?
regards, kishor
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com