Today one of our Handlers notice an interesting anomaly in the Dshield data. Since late March Dshield has seen a significant increase in the number of sources using port 2967 for scanning.  Traditionally there has been some  activity on this port, but in late March  the number of sources increased approximately six times and the number of targets increased by about 50%. After a few days the sources settled  down to about double the traditional value.

Most likely this has something to do with the recent Symantec vulnerabilities, but we here at the ISC would be interested in any insight anybody can shed on this activity.  We would be especially interested in  packet captures from traffic of this nature.

 If you have any information that may help, please contact us.

-- Rick Wanner rwanner at isc dot sans dot org