Snort mailing list archives
Re: 17203 portscan alerts in 23 hours from same IP
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 10 Jul 2002 16:37:57 -0400
Perhaps the citibank webpage has a gif-image which reloads at regular intervals? In that case all she'd need to do is leave the browser open, and those kinds of reloading images are pretty common.
It strikes me as highly absurd to consider reset/fin packets coming from port 80 on a valid webserver to be a portscan of any sort. Sure webservers get knocked over and used to attack others sometimes, but very rarely do those scans originate from port 80 (since they'd have to shut the webserver down) and rarely do they consist of ARF ("close connection and stop talking to me, don't even acknowledge the close") type packets at regular intervals to normal client ports. ARF isn't exactly a very useful combination of flags for portscanning AFAIK.
I think the appropriate question to ask here is "why was my user's machine trying to contact citibank's website so frequently" rather than "why was citibank scanning me", and I think the answer is that someone had a couple of pages with self-refreshing images open and left the browser running.
At 02:54 PM 7/10/2002 -0400, Jon Quiros wrote:
someone that replied off-list wrote this:"Looks to me like your source and dest IPs are showing up backwards. It is not a scan, but merely the random source port 1024 incrementing with each connection. Your end user must be doing a lot of on-line banking with Citibank I would say."This would make perfect sense to me, except i can't envision her staying over night doing online banking stuff, or any program running in the bkgrnd following the same pattern over and over againJon Q
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Two, two, TWO treats in one. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- RE: 17203 portscan alerts in 23 hours from same IP Ashley Thomas (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jeff Taylor (Jul 10)
- <Possible follow-ups>
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Matt Kettler (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Matt Kettler (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- RE: 17203 portscan alerts in 23 hours from same IP Ashley Thomas (Jul 10)