Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 17203 portscan alerts in 23 hours from same IP

From: Jon Quiros <sysadmin () ncemch org>
Date: 10 Jul 2002 14:54:42 -0400
someone that replied off-list wrote this:

"Looks to me like your source and dest IPs are showing up backwards. It is not a scan, but merely the random source 
port 1024 incrementing with each connection. Your end user must be doing a lot of on-line banking with Citibank I would 
say."

This would make perfect sense to me, except i can't envision her staying over night doing online banking stuff, or any 
program running in the bkgrnd following the same pattern over and over again

Jon Q


Snort 1.8.6 (Build 105) to MySQL on darwin- using ACID.


I've gotten used to seeing portscans lasting from a few seconds
to a few minutes, and from *transient* IP's unlike
192.193.195.132(one of citigroup's web servers, compromised?).
All activity is from port 80 and looks like it's scanning
several ports between 1951 and 2014, over and over again.  I
know the person on the scanned machine uses yahoo me$$@#%r on
occasion but I'd never seen this raised before.  so if this is
not a false positive would it look like more of a targetted
scan?

I'm guessing this might be something to NOT be concerned with,
but I'd like to learn more about it so if you can share some
info or insight about it that'' help me see the larger picture
I'd appreciate and benefit from it.

Thank you!
Jon Q

part of portscan.log
=====
Jul  9 10:09:48 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK ***A*R*F 
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK ***A*R*F 
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK ***A*R*F 
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK ***A*R*F 
Jul  9 10:11:24 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK ***A*R*F 
Jul  9 10:11:25 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK ***A*R*F 
Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK ***A*R*F 
Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK ***A*R*F 
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK ***A*R*F 
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK ***A*R*F 
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK ***A*R*F 
Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK ***A*R*F 
Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK ***A*R*F 
Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK ***A*R*F 
Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK ***A*R*F 
Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK ***A*R*F 
Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK ***A*R*F 
Jul  9 10:11:34 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK ***A*R*F 
Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK ***A*R*F 
Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK ***A*R*F 
Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK ***A*R*F 
Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK ***A*R*F 
Jul  9 10:11:40 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK ***A*R*F 
Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK ***A*R*F 
Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK ***A*R*F 
Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK ***A*R*F 
Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK ***A*R*F 
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK ***A*R*F 
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK ***A*R*F 
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK ***A*R*F 
Jul  9 10:13:20 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK ***A*R*F 
Jul  9 10:13:21 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK ***A*R*F 
Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK ***A*R*F 
Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK ***A*R*F 
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK ***A*R*F 
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK ***A*R*F 
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK ***A*R*F 
Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK ***A*R*F 
Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK ***A*R*F 
Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK ***A*R*F 
Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK ***A*R*F 
Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK ***A*R*F 
Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK ***A*R*F 
Jul  9 10:13:30 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK ***A*R*F 
Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK ***A*R*F 
Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK ***A*R*F 
Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK ***A*R*F 
Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK ***A*R*F 
Jul  9 10:13:36 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK ***A*R*F 
Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK ***A*R*F 
Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK ***A*R*F 
Jul  9 10:13:40 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK ***A*R*F 
=====







-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: