Incident: 02-26-02 10:41am

tcp:53 SYN packets from a DSL-based host, out of Brazil...

snort2html.plx:

Feb 26 10:41:00 - snort [1:0:0] TCP to 53 domain 
  Source IP: 200.171.2.25   Source port: 2502 
Source host: 200-171-2-25.dsl.telesp.net.br
  Target IP: 12.82.131.103   Target port: 53   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 10:41:04 - snort [1:0:0] TCP to 53 domain 
  Source IP: 200.171.2.25   Source port: 2502 
Source host: 200-171-2-25.dsl.telesp.net.br
  Target IP: 12.82.131.103   Target port: 53   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net

Feb 26 10:41:10 - snort [1:0:0] TCP to 53 domain 
  Source IP: 200.171.2.25   Source port: 2502 
Source host: 200-171-2-25.dsl.telesp.net.br
  Target IP: 12.82.131.103   Target port: 53   Proto: TCP 
Target host: 103.seattle-08-09rs.wa.dial-access.att.net



snort packet dump:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/26-10:41:00.957021 200.171.2.25:2502 -> 12.82.131.103:53
TCP TTL:43 TOS:0x0 ID:38525 IpLen:20 DgmLen:60 DF
******S* Seq: 0xCF55094D  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 9586862 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/26-10:41:04.057334 200.171.2.25:2502 -> 12.82.131.103:53
TCP TTL:43 TOS:0x0 ID:39180 IpLen:20 DgmLen:60 DF
******S* Seq: 0xCF55094D  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 9587162 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/26-10:41:10.057964 200.171.2.25:2502 -> 12.82.131.103:53
TCP TTL:43 TOS:0x0 ID:40528 IpLen:20 DgmLen:60 DF
******S* Seq: 0xCF55094D  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 9587762 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

Request: 200.171.2.25
connecting to whois.arin.net [192.149.252.34:43] ...
connecting to whois.registro.br [143.108.23.3:43] ... 

% Copyright registro.br
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to domain name and IP number registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2002-02-28 12:10:13 (BRT -03:00) 

inetnum:     200.171/16
aut-num:     AS10429
abuse-c:     LAG112
owner:       TELECOMUNICACAO DE SAO PAULO S/A - TELESP
ownerid:     002.558.157/0001-62
responsible: Marcos Lourenceti Formoso
address:     Av. Paulista, 2300, 19º andar
address:     01310-300 - Sao Paulo - SP
phone:       (011) 3329-5132 []
owner-c:     MLF120
tech-c:      MAP728
inetrev:     200.171.0/17
nserver:     DNSQIPBR1.TELESP.NET.BR
nsstat:      20010824 AA
nslastaa:    20010824



host:

[toot@sparky /storage/snort/old_snorts/022602]# host 200.171.2.25
25.2.171.200.in-addr.arpa. domain name pointer 200-171-2-25.dsl.telesp.net.br.
jsage@finchhaven.com
Last modified: Thu Feb 28 07:14:04 2002