Snort mailing list archives
Re: RV: portscan
From: "Hugo Ferr" <snortgrp () hotmail com>
Date: Fri, 31 May 2002 15:05:24 -0400
SYN and VECNA entries.....I've seen them a lot when I was doing Nessus scans from inside my network to outside. Do you have Nessus running on your network? ----- Original Message ----- From: "Petriz, Pablo" <ppetriz () siscat com ar> To: <snort-users () lists sourceforge net> Sent: Friday, May 31, 2002 2:04 PM Subject: [Snort-users] RV: portscan
Please. Can someone answer this? Tell me if you need more info. TIA PABLO-----Mensaje original----- De: Petriz, Pablo Enviado el: jueves 30 de mayo de 2002 04:40 Para: 'snort-users () lists sourceforge net' Asunto: portscan Hello list! My Snort 1.8.6 (RH 7.2)is monitoring a DMZ between 2 private networks. At DMZ we have Apache + SCO Tarantella and a MS Terminal Server to share an application. I have various connections working well and today we were bringing up a new connection when Snort detects a portscan from the PC (Win98) we were working. The bring up job consists on pointing the browser to the site at the DMZ and then login to Tarantella, so what can be the cause of the portscan from that PC? portscan.log shows entries to port 80 (apache)and 3144 (tarantella) Here are the alert and portscan.log files. Thank you!!! PABLO alert ===== [**] [100:1:1] <eth1> spp_portscan: PORTSCAN DETECTED on eth1 to port 80 from x.x.x.x (STEALTH) [**] 05/30-13:21:40.010817 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 05/30-13:22:41.428323 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:22:47.311326 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 05/30-13:25:19.802265 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**] 05/30-13:29:04.070375 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:30:36.666846 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:30:40.024516 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 05/30-13:30:44.383457 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:34:34.340470 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:35:06.263163 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:35:16.842867 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:35:35.662691 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 05/30-13:37:11.728234 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:37:58.647353 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**] 05/30-13:38:10.834317 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:39:09.880222 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:39:31.116911 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:39:51.451081 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:44:02.704023 [**] [100:3:1] <eth1> spp_portscan: End of portscan from x.x.x.x: TOTAL time(1093s) hosts(1) TCP(24) UDP(0) STEALTH [**] 05/30-13:44:07.835669 portscan.log ============ May 30 13:22:41 x.x.x.x:1099 -> y.y.y.y:80 SYN ******S* May 30 13:21:39 x.x.x.x:1097 -> y.y.y.y:80 VECNA 1***P**F May 30 13:22:47 x.x.x.x:1100 -> y.y.y.y:3144 SYN ******S* May 30 13:25:19 x.x.x.x:1102 -> y.y.y.y:80 SYN ******S* May 30 13:22:49 x.x.x.x:1101 -> y.y.y.y:80 NOACK *****RSF May 30 13:25:20 x.x.x.x:1103 -> y.y.y.y:3144 SYN ******S* May 30 13:29:04 x.x.x.x:1104 -> y.y.y.y:80 SYN ******S* May 30 13:30:36 x.x.x.x:1106 -> y.y.y.y:80 SYN ******S* May 30 13:30:40 x.x.x.x:1107 -> y.y.y.y:80 SYN ******S* May 30 13:30:44 x.x.x.x:1106 -> y.y.y.y:80 NOACK ****P*S* May 30 13:30:43 x.x.x.x:1107 -> y.y.y.y:80 VECNA 12U***** May 30 13:34:34 x.x.x.x:1112 -> y.y.y.y:80 SYN ******S* May 30 13:35:06 x.x.x.x:1115 -> y.y.y.y:80 SYN ******S* May 30 13:35:16 x.x.x.x:1116 -> y.y.y.y:80 SYN ******S* May 30 13:35:35 x.x.x.x:1118 -> y.y.y.y:3144 SYN ******S* May 30 13:35:36 x.x.x.x:1116 -> y.y.y.y:80 VECNA **U***** May 30 13:37:11 x.x.x.x:1121 -> y.y.y.y:80 SYN ******S* May 30 13:37:58 x.x.x.x:1125 -> y.y.y.y:80 SYN ******S* May 30 13:37:59 x.x.x.x:1126 -> y.y.y.y:80 SYN ******S* May 30 13:38:10 x.x.x.x:1128 -> y.y.y.y:3144 SYN ******S* May 30 13:39:09 x.x.x.x:1130 -> y.y.y.y:80 SYN ******S* May 30 13:39:31 x.x.x.x:1131 -> y.y.y.y:80 SYN ******S* May 30 13:39:51 x.x.x.x:1135 -> y.y.y.y:80 SYN ******S* May 30 13:39:52 x.x.x.x:1137 -> y.y.y.y:80 SYN ******S*_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RV: portscan Petriz, Pablo (May 31)
- Re: RV: portscan Hugo Ferr (May 31)
- <Possible follow-ups>
- RE: RV: portscan Petriz, Pablo (Jun 03)