Re: TCP ******S* portscan

[Hauser Marcel <marcel_hauser () gmx ch>]

On 06.04.2002 at 00:05:31, Matt Kettler <mkettler () evi-inc com> wrote:

> Is the IP tables firewall running on a machine which is up-stream of snort 
> (not on the same box or somewhere downstream)?
no, snort is running on the internal interface at the firewall

> So, unless your snort is running downstream of the iptables firewall, don't 
> worry, this is normal for snort to see. If snort is downstream, i.e. you 
> have a computer with 2 ethernet interfaces using iptables prior to routing 
> between them and snort is on the "inside" of that router, well, your 
> iptables aren't doing what you expect.
Are you joking ? <i'am scared now>
Well... My Firewall has Iptables on it and is doing nat. And yes, snort is
running on the internal interface of the firewall. 

Ok... i know this is not snort related, but what "miss configuration?" at the
iptables side, could cause such a behavior ? Some Connection Tracking Modules
maybe ? how can i track this down ?

Thanks for any hints on this !!

> In either event, it does mean that 195.186.255.2 did a sequential tcp 
> portscan on your webserver.
I ran several portscans (sequential) by myself, and the firewall always
successfully blocked them !? hmmmm...

Thanks for your help Matt !

Cheers Marcel

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users