Snort, FIN Scans, and port 6346 (Gnutella)
Well, I checked into my ACID yesterday, and there was 109 new alerts! Normally, I get about 5-6 a day, usually robots.txt access. All of the new alerts were of the same type: "(spp_stream4) STEALTH ACTIVITY (FIN scan) detection," and, oddly enough, headed for the same port: 6346(gnutella). So far, there were 114 occurences from 22 different hosts headed to that port. It seems to have tapered off somewhat.
I was wondering if anyone had any thoughts on this activity? Is the RIAA trying to keep track of me, although I haven't used gnutella in 3 months? Or, is this something else? OR, am I just being paranoid?
Ian
Last edited by green_dragon37; 11-16-2003 at 09:02 PM.
|