Snort mailing list archives
Re: am i scanning other ip's?
From: James Hoagland <hoagland () SiliconDefense com>
Date: Mon, 9 Dec 2002 13:00:18 -0500
Alfredo, At 10:36 AM +0100 12/9/02, Alfredo D wrote:
hi. First of all excuse my englishi'm new to snort, but i installed a Mandrake Firewall that uses it, and looking in logs i found this in portscan.logit seems like my computer is doing portscans to other ip's. right? what is SYN ******S*? the ports 61XXX? i installed the computer two days ago. is being hacked?
What you show here looks like normal web surfing to me; port 80 traffic mixed with UDP DNS traffic. Timing seems about right. One of the IPs listed resolves to Google even.
It looks like you need to turn down the sensitivity of the portscan detector. Kind regards, Jim
Jan 1 10:05:18 [my own ip]:61591 -> 216.239.39.101:80 SYN ******S* Jan 1 10:05:20 [my own ip]:61593 -> 66.35.229.200:80 SYN ******S* Jan 1 10:05:40 [my own ip]:61594 -> 64.70.54.43:80 SYN ******S* Jan 1 10:05:44 [my own ip]:61596 -> 216.239.39.101:80 SYN ******S* Jan 1 10:05:47 [my own ip]:61597 -> [isp dns]:53 UDP Jan 1 10:05:48 [my own ip]:61598 -> [isp dns]:53 UDP Jan 1 10:05:48 [my own ip]:61597 -> [isp dns]:53 UDP Jan 1 10:05:48 [my own ip]:61599 -> 64.152.64.67:80 SYN ******S* Jan 1 10:05:59 [my own ip]:61600 -> 216.239.39.101:80 SYN ******S* Jan 1 10:06:00 [my own ip]:61601 -> 64.152.64.67:80 SYN ******S* Jan 1 10:06:10 [my own ip]:61602 -> 216.239.39.101:80 SYN ******S* Jan 1 10:06:17 [my own ip]:61603 -> [isp dns]:53 UDP Jan 1 10:06:18 [my own ip]:61603 -> [isp dns]:53 UDP Jan 1 10:06:19 [my own ip]:61604 -> [isp dns]:53 UDP Jan 1 10:06:19 [my own ip]:61603 -> [isp dns]:53 UDP Jan 1 10:06:20 [my own ip]:61606 -> 63.209.80.228:80 SYN ******S* Jan 1 10:06:23 [my own ip]:61607 -> 63.209.80.244:80 SYN ******S* Jan 1 10:06:23 [my own ip]:61608 -> 63.209.80.244:80 SYN ******S* Jan 1 10:06:23 [my own ip]:61609 -> 63.209.80.229:80 SYN ******S*
-- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- am i scanning other ip's? Alfredo D (Dec 09)
- Re: am i scanning other ip's? Adrian Peters (Dec 09)
- Re: am i scanning other ip's? James Hoagland (Dec 09)
- Re: am i scanning other ip's? Matt Kettler (Dec 09)