Snort mailing list archives
Re: TCP ******S* portscan
From: Hauser Marcel <marcel_hauser () gmx ch>
Date: Fri, 05 Apr 2002 15:33:03 -0800
On 06.04.2002 at 00:05:31, Matt Kettler <mkettler () evi-inc com> wrote:
Is the IP tables firewall running on a machine which is up-stream of snort (not on the same box or somewhere downstream)?
no, snort is running on the internal interface at the firewall
So, unless your snort is running downstream of the iptables firewall, don't worry, this is normal for snort to see. If snort is downstream, i.e. you have a computer with 2 ethernet interfaces using iptables prior to routing between them and snort is on the "inside" of that router, well, your iptables aren't doing what you expect.
Are you joking ? <i'am scared now> Well... My Firewall has Iptables on it and is doing nat. And yes, snort is running on the internal interface of the firewall. Ok... i know this is not snort related, but what "miss configuration?" at the iptables side, could cause such a behavior ? Some Connection Tracking Modules maybe ? how can i track this down ? Thanks for any hints on this !!
In either event, it does mean that 195.186.255.2 did a sequential tcp portscan on your webserver.
I ran several portscans (sequential) by myself, and the firewall always successfully blocked them !? hmmmm... Thanks for your help Matt ! Cheers Marcel _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Hauser Marcel (Apr 05)
- Message not available
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan "SOLVED" Marcel Hauser (Apr 06)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Ricardo SIGNES (Apr 05)
- <Possible follow-ups>
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)
- RE: TCP ******S* portscan Hauser Marcel (Apr 05)
- RE: TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Chris Keladis (Apr 05)
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)