What does this SNORT mean?
Kelly Fallon
kfallon at ci.lawrence.ks.us
Wed Sep 25 14:35:48 CDT 2002
On Tue, 2002-09-24 at 23:37, Hanasaki JiJi wrote:
> [**] [1:542:2] INFO Possible IRC Access [**]
> [Classification: Not Suspicious Traffic] [Priority: 3]
> 09/23-18:55:03.570539 65.26.127.29:1805 -> 66.28.140.58:6669
> TCP TTL:64 TOS:0x0 ID:48392 IpLen:20 DgmLen:97 DF
> ***AP*** Seq: 0xA02BE993 Ack: 0x27CE056 Win: 0x16D0 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 225006747 16743823
That the first machine sent traffic to the second machine on a port that
is commonly used to listen for irc connections. This could be a user
using irc, a exploit or irc bot calling home, or non irc related traffic
that happened to be assigned that port at that time.
More information about the Kclug
mailing list