Re: FTP Bounce scan
Dries Kimpe <dries@wina.rug.ac.be> writes:
> Today, I saw in the snort logs the following:
> (removed ip & date to get it in 78-col format)
>
> 193.189.224.13:21 -> ip:58153 UNKNOWN *2*A**S* RESERVEDBITS
> 193.189.224.13:42940 -> ip:113 SYN 12****S* RESERVEDBITS
> 193.189.224.13:42941 -> ip:58154 UNKNOWN *2*A**S* RESERVEDBITS
[snip]
> 193.189.224.13:42967 -> ip:58177 UNKNOWN *2*A**S* RESERVEDBITS
> 193.189.224.13:21 -> ip:58180 UNKNOWN *2*A**S* RESERVEDBITS
> 193.189.224.13:43074 -> ip:113 SYN 12****S* RESERVEDBITS
> 143.169.4.111:22 -> ip:22 SYNFIN ******SF
> 143.169.4.111:4614 -> ip:22 SYN ******S*
>
> Is this a so-called ftp-bounce scan? Because it starts every time with a
> connection from port 21, en next to a bunch of connections on higher
> ports. These came in bursts, each time for about one minute or so.
Looks like FTP to me, full-stop. It's just that you've not sorted out your
snort rules to cope with ECN yet, have you?
~Tim
--
Tell me where oh where has summer gone | debian@stirfried.vegetable.org.uk
It hasn't come this year | http://piglet.is.dreaming.org
You always cry when swallows fly |
With doubts in search of dreams |
Reply to: