Threat Level: green Handler on Duty: Russ McRee

SANS ISC: DShield analysis SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DShield analysis
Hallo,

analysing the DShield.log there were two topics I couldn't find information:

- TTL: the default is 64, but nearly all scanner use TTL around 250, and the "attackers" (trying login) use TTL around 250

- Source port: default for Linux is above 32,000, but there are a number of scans with source port below

It seems most of the scans are using nmap (windows-size=1024), but my checks did not confirm any unusual TTL or source ports.

Does the specific TTL and source port reveal anything about the scanners?

Thanks
Anonymous

Sign Up for Free or Log In to start participating in the conversation!