Snort mailing list archives
RE: Interpreting logs
From: "Migus, Adam" <Adam_Migus () NAI com>
Date: Fri, 20 Jul 2001 11:32:05 -0700
I was kind of hoping for a little more verbose and informative response. See comments below.
-----Original Message----- From: Ralf Hildebrandt [mailto:Ralf.Hildebrandt () innominate com] Sent: Friday, July 20, 2001 2:29 AM To: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Interpreting logs On Thu, Jul 19, 2001 at 09:25:05AM -0700, Migus, Adam wrote:[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from24.249.235.55 (THRESHOLD4 connections exceeded in 3 seconds) [**] 07/19-03:01:48.093228The rate was exceeded.
Ok but why? My firewall protects one user, me. I don't serve anything so it is doubtful that there were 4 incoming connections to my external interface in 3 seconds. Does it have something to do with NAT?
[**] spp_anomsensor: Anomaly threshold exceeded: 6.0893 [**] 07/19-05:25:37.765846 24.249.235.55:4778 -> 64.94.89.146:80 TCP TTL:127 TOS:0x0 ID:56422 IpLen:20 DgmLen:48 DF ******S* Seq: 0xBE1604FD Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK This entry is also taken from my /var/log/snort/alert. Itis complainingabout an ordinary connection to the http port of a randomsite I visited.Why?Because it's anomalous.
Why is it considered anomalous?
Jul 19 05:22:37 24.249.235.55:1310 -> 24.3.0.36:53 UDP Jul 19 05:23:27 24.249.235.55:41757 -> 198.165.106.2:110SYN ******S*This entry is taken from /var/log/snort/portscan.log.These as well areordinary client connections to an external DNS and POPserver I use. How doI interpret this?Somebody used your nameserver,
No, 24.249.235.55 is my external interface so the packet clearly shows that I used someone elses nameserver, not the other way around.
Somebody made a synscan for a POP3 server.
As I said above I am the only user on the network. This was a legitimate POP3 request I made to the POP server I get my mail on. So why did snort complain?
-- ralf.hildebrandt () innominate com innominate AG Technical Consultant Don't be afraid of what you see - Diplom-Informatiker be afraid of what you don't see! tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-77 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Interpreting logs Migus, Adam (Jul 19)
- Re: Interpreting logs Ralf Hildebrandt (Jul 19)
- <Possible follow-ups>
- RE: Interpreting logs Migus, Adam (Jul 20)