Security Incidents mailing list archives

Re: Port-scans from visited web-sites?

From: joey () SILICONDEFENSE COM (Joe McAlerney)
Date: Thu, 8 Jun 2000 08:44:28 -0700


Snort's portscan preprocessor will register web traffic as portscans if
your threshold is too low.  It simply looks for X packets sent to your
network in Y seconds.  Try increasing either the packet threshold or the
the time.

-Joe M.

Peter Bates wrote:


Hello all...

I noticed the following today:

Jun  7 13:27:01 www-cache.lshtm.ac.uk snort[632]: spp_portscan:
PORTSCAN DETECTE
D from 206.251.0.173
Jun  7 13:27:14 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status
from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Jun  7 13:27:19 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan
from 206.251.0.173
Jun  7 13:30:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan:
PORTSCAN DETECTE
D from 206.251.0.173
Jun  7 13:30:58 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status
from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Jun  7 13:31:04 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan
from 206.251.0.173
Jun  7 13:32:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan:
PORTSCAN DETECTE
D from 206.251.0.173
Jun  7 13:32:59 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status
from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Jun  7 13:33:06 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan
from 206.251.0.173

using snort, obviously, and generated from
our machine that acts as our site 'web-cache/proxy'...
this was followed by about 3/4 other similar 'scans'
acknowledged by snort...

What interested me was the source of the addresses:

       LucasArts Entertainment Company (LUCASARTS-DOM)
(NETBLK-LOCO-NET-LUCASARTS)
          PO Box 10307
          San Rafael, CA 94912
          US

          Netname: LOCO-NET-LUCASARTS
          Netblock: 206.251.0.128 - 206.251.0.191

...

has anyone else seen this kind of activity,
and can the snort portscan detection be trusted?

Thanks....

--
---------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax:0207-436 5389 / Pager: 07625 255362

Current thread:

Strange scans - inquisitive question, (continued)
- - - Strange scans - inquisitive question Paul Rogers (Jun 09)
    - Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
    - What is this guy doing? Josh Burroughs (Jun 05)
    - Re: What is this guy doing? Sebastien Reister (Jun 08)
    - AW: What is this guy doing? Peter Roth (Jun 08)
    - Port 6347 Dante Mercurio (Jun 08)
    - Re: Port 6347 Brian Macke (Jun 08)
    - Re: Port 6347 Henry F. Marquardt (Jun 09)
    - Re: What is this guy doing? Greg A. Woods (Jun 08)
    - Port-scans from visited web-sites? Peter Bates (Jun 07)
    - Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
    - Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
    - Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
    - scan log Max Gribov (Jun 11)
    - Re: scan log Jason Witty (Jun 12)
    - FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
    - Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
    - Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
    - port 12345 scanning Luke Dudney (Jun 11)
    - Protocol 54 M J (Jun 07)
    - Re: very strange scan patterns Ejovi Nuwere (Jun 07)

(Thread continues...)