Intrusion Detection Systems mailing list archives

Source port of Samba Scans?

From: swan_daniel () my-deja com (Daniel Swan)
Date: Fri, 10 Mar 2000 10:13:34 -0800



Looking at my logs, I see a lot of Samba scans... I think it's a fair assumption that Legion is being used in most 
cases.  (If this is not a fair assumption, please let me know!).

Sometimes the source port is something random, above 1024, which I assume is just a dynamically allocated port... but 
in other cases, it is
137.

So how do we account for the two different cases here...  is it different tools, different OS's... or what?

--== Sent via Deja.com http://www.deja.com/ ==--
Share what you know. Learn what you don't.

Current thread:

Source port of Samba Scans? Daniel Swan (Mar 10)
- <Possible follow-ups>
- Re: Source port of Samba Scans? Robert Graham (Mar 10)
- Re: Source port of Samba Scans? Daniel Swan (Mar 10)
  - Re: Source port of Samba Scans? Stuart Staniford-Chen (Mar 11)
  - comparison of NFR vs RealSecure Thomas Nau (Mar 12)
    - Re: comparison of NFR vs RealSecure Talisker (Mar 19)
    - Good source of intrusion detection and response steps? Matt Baney (Mar 24)
    - Re: Good source of intrusion detection and response steps? Stuart Staniford-Chen (Mar 24)
    - Re: Good source of intrusion detection and response steps? Matt Baney (Mar 27)
    - question tongchangda (Mar 19)
    - Shomit Tap Documentation Jackie Chan (Mar 21)

(Thread continues...)