Snort mailing list archives

RE: Interpreting logs

From: "Migus, Adam" <Adam_Migus () NAI com>
Date: Fri, 20 Jul 2001 11:32:05 -0700

I was kind of hoping for a little more verbose and informative response.
See comments below.

-----Original Message-----
From: Ralf Hildebrandt [mailto:Ralf.Hildebrandt () innominate com]
Sent: Friday, July 20, 2001 2:29 AM
To: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Interpreting logs


On Thu, Jul 19, 2001 at 09:25:05AM -0700, Migus, Adam wrote:

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from

24.249.235.55 (THRESHOLD

4 connections exceeded in 3 seconds) [**]
07/19-03:01:48.093228


The rate was exceeded.

Ok but why?  My firewall protects one user, me.  I don't serve anything so
it is doubtful that there were 4 incoming connections to my external
interface in 3 seconds.  Does it have something to do with NAT?

[**] spp_anomsensor: Anomaly threshold exceeded: 6.0893 [**]
07/19-05:25:37.765846 24.249.235.55:4778 -> 64.94.89.146:80
TCP TTL:127 TOS:0x0 ID:56422 IpLen:20 DgmLen:48 DF
******S* Seq: 0xBE1604FD  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

This entry is also taken from my /var/log/snort/alert.  It

is complaining

about an ordinary connection to the http port of a random

site I visited.

Why?


Because it's anomalous.


Why is it considered anomalous?

Jul 19 05:22:37 24.249.235.55:1310 -> 24.3.0.36:53 UDP
Jul 19 05:23:27 24.249.235.55:41757 -> 198.165.106.2:110

SYN ******S*


This entry is taken from /var/log/snort/portscan.log.

These as well are

ordinary client connections to an external DNS and POP

server I use.  How do

I interpret this?


Somebody used your nameserver,


No, 24.249.235.55 is my external interface so the packet clearly shows that
I used someone elses nameserver, not the other way around.

Somebody made a synscan for a POP3 server.


As I said above I am the only user on the network.  This was a legitimate
POP3 request I made to the POP server I get my mail on.  So why did snort
complain?


-- 
ralf.hildebrandt () innominate com                            
innominate AG
Technical Consultant                   Don't be afraid of 
what you see -
Diplom-Informatiker                     be afraid of what you 
don't see!
tel: +49.(0)7000.POSTFIX                        fax: 
+49.(0)30.308806-77



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Interpreting logs Migus, Adam (Jul 19)
- Re: Interpreting logs Ralf Hildebrandt (Jul 19)
- <Possible follow-ups>
- RE: Interpreting logs Migus, Adam (Jul 20)