Snort mailing list archives
RE: TCP ******S* portscan
From: Andrew Blevins <ABlevins () arrowheadgrp com>
Date: Fri, 5 Apr 2002 15:25:18 -0800
This is a SYN scan, with sets a flag that some firewalls will allow to pass. That may be the issue. Feel free to brutally correct me if I'm wrong (which I prob am!) Happy Hunting Blev -----Original Message----- From: Marcel Hauser [mailto:marcel_hauser () gmx ch] Sent: Friday, April 05, 2002 4:31 PM To: snort-users () lists sourceforge net Subject: [Snort-users] TCP ******S* portscan Hi everybody I'am new to Snort, and hopefully this is not in any faq i didn't read ;) Can someone please tell me how this could happen: (y.y.y.y is the internal IP Address of my webServer and i'am allowing only port 80 and 25 to that server from outside using iptables) Apr 5 15:50:56 195.186.255.2:3595 -> y.y.y.y:45428 SYN ******S* Apr 5 15:50:57 195.186.255.2:3596 -> y.y.y.y:45429 SYN ******S* Apr 5 15:50:58 195.186.255.2:3597 -> y.y.y.y:45430 SYN ******S* Apr 5 15:50:59 195.186.255.2:3598 -> y.y.y.y:45431 SYN ******S* Apr 5 15:50:59 195.186.255.2:3599 -> y.y.y.y:45432 SYN ******S* Apr 5 15:51:00 195.186.255.2:3600 -> y.y.y.y:45433 SYN ******S* Apr 5 15:51:01 195.186.255.2:3601 -> y.y.y.y:45434 SYN ******S* Apr 5 15:51:01 195.186.255.2:3602 -> y.y.y.y:45435 SYN ******S* Apr 5 15:51:41 195.186.255.2:3614 -> y.y.y.y:45440 SYN ******S* Apr 5 15:51:42 195.186.255.2:3615 -> y.y.y.y:45441 SYN ******S* Apr 5 15:51:43 195.186.255.2:3616 -> y.y.y.y:45442 SYN ******S* Apr 5 15:51:44 195.186.255.2:3617 -> y.y.y.y:45443 SYN ******S* Apr 5 15:51:44 195.186.255.2:3618 -> y.y.y.y:45444 SYN ******S* Apr 5 15:51:44 195.186.255.2:3619 -> y.y.y.y:45445 SYN ******S* Apr 5 15:51:45 195.186.255.2:3620 -> y.y.y.y:45446 SYN ******S* Apr 5 15:51:46 195.186.255.2:3621 -> y.y.y.y:45448 SYN ******S* Apr 5 15:52:08 195.186.255.2:3630 -> y.y.y.y:80 SYN ******S* Apr 5 15:52:08 195.186.255.2:3631 -> y.y.y.y:80 SYN ******S* Apr 5 15:52:40 195.186.255.2:3635 -> y.y.y.y:80 SYN ******S* Apr 5 15:53:00 195.186.255.2:3638 -> y.y.y.y:80 SYN ******S* Apr 5 15:53:00 195.186.255.2:3641 -> y.y.y.y:80 SYN ******S* Thanks in andvance Cheers Marcel _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Hauser Marcel (Apr 05)
- Message not available
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan "SOLVED" Marcel Hauser (Apr 06)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Ricardo SIGNES (Apr 05)
- <Possible follow-ups>
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)
- RE: TCP ******S* portscan Hauser Marcel (Apr 05)
- RE: TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Chris Keladis (Apr 05)
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)