Snort mailing list archives
Re: Web servers scanning clients!!!
From: Jason <security () brvenik com>
Date: Thu, 26 Dec 2002 20:17:47 -0500
Curious, what is your config like? specifically, targets_max target_limit port_limitis it a case where you have more hosts on your net than targets_max is set to?
Jason Matt Kettler wrote:
Actually, note that those are ack-syn packets from their port 80 to ports in the "client" range on your system.You're the one "scanning" them.In this case your web browser is rapidly opening connections to download a large number of small images in the page. Each successive connection gets a different source-port on your side, and the responses look like a portscan to the portscan2 preprocessor.I too have this problem with portscan2 since I enabled it. It seems that some awareness of the outbound syn packets from your home_net should be present to keep this from false-alerting, but it doesn't seem to be present in snort 1.9.0. (this could also be a config bug on my part, and Farzin's too)Is this a known-bug or is there some way to tell the portscan2 preprocessor how to properly understand large bursts of outbound client connections from HOME_NET?At 04:15 PM 12/26/2002 -0800, Farzin wrote:Hi All, Looking at my snort logs, I see that when a user access some sites such as http://www.nationalenquirer.com (38.144.52.102), the server turns around and scan about 21 ports on the client. Does anyone know why this is? below is the log: [**] [117:1:1] (spp_portscan2) Portscan detected from 38.144.52.102: 1 targets 21 ports in 2 seconds [**] 12/26-14:31:33.546312 38.144.52.102:80 -> MY.IP:34189 TCP TTL:236 TOS:0x0 ID:5084 IpLen:20 DgmLen:64 DF ***A**S* Seq: 0x4613D2D4 Ack: 0xF07A44E3 Win: 0x2798 TcpLen: 44 TCP Options (9) => NOP NOP TS: 1229213631 743607218 NOP WS: 0 TCP Options => NOP NOP SackOK MSS: 1460 [**] [117:1:1] (spp_portscan2) Portscan detected from 38.144.52.102: 1 targets 21 ports in 2 seconds [**] 12/26-14:31:59.919274 38.144.52.102:80 -> MY.IP:34227 TCP TTL:236 TOS:0x0 ID:5279 IpLen:20 DgmLen:64 DF ***A**S* Seq: 0x49DDC83A Ack: 0xF12A7099 Win: 0x2798 TcpLen: 44 TCP Options (9) => NOP NOP TS: 1229216268 743609855 NOP WS: 0 TCP Options => NOP NOP SackOK MSS: 1460 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34189 tgts: 1 ports: 21 flags: ***A**S* event_id: 0 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34191 tgts: 1 ports: 22 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34192 tgts: 1 ports: 23 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34193 tgts: 1 ports: 24 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34194 tgts: 1 ports: 25 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34195 tgts: 1 ports: 26 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34196 tgts: 1 ports: 27 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34197 tgts: 1 ports: 28 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34198 tgts: 1 ports: 29 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34199 tgts: 1 ports: 30 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34200 tgts: 1 ports: 31 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34201 tgts: 1 ports: 32 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34202 tgts: 1 ports: 33 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34203 tgts: 1 ports: 34 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34204 tgts: 1 ports: 35 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34205 tgts: 1 ports: 36 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34206 tgts: 1 ports: 37 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34207 tgts: 1 ports: 38 flags: ***A**S* event_id: 204 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34227 tgts: 1 ports: 21 flags: ***A**S* event_id: 0 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34228 tgts: 1 ports: 22 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34229 tgts: 1 ports: 23 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34230 tgts: 1 ports: 24 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34231 tgts: 1 ports: 25 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34232 tgts: 1 ports: 26 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34233 tgts: 1 ports: 27 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34235 tgts: 1 ports: 28 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34236 tgts: 1 ports: 29 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34237 tgts: 1 ports: 30 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34238 tgts: 1 ports: 31 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34239 tgts: 1 ports: 32 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34240 tgts: 1 ports: 33 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34241 tgts: 1 ports: 34 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34242 tgts: 1 ports: 35 flags: ***A**S* event_id: 213 TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport: 34243 tgts: 1 ports: 36 flags: ***A**S* event_id: 213 Thanks in advance, __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Web servers scanning clients!!! Farzin (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Alberto Gonzalez (Dec 26)