Snort mailing list archives
Snort portscan false positives?
From: Felipe Alfaro Solana <snort () felipe-alfaro com>
Date: 09 Oct 2002 21:45:04 +0200
Hi! I'm net to Snort and IDS... I'm curious to know what's passing through my ADSL router, so I installed SNORT on an old spare computer. I own a 3Com OfficeConnect 812 ADSL router... it's discontinued but works pretty fine. It's an ADSL router and a 4-port hub, so I hooked up my old computer to one of the ports of the router so I could analyze all the traffic coming in/going out from/to the Internet. I installed SNORT 1.9, grabbed and installed the latest set of signatures. Since I installed SNORT, I'm seeing a lot of portscan attempts to my main computer (IP address 192.168.0.100, the one I use to write e-mails, surf the Web, etc). For example, I have seen the following alert: --- BEGIN --- 10/09-21:17:21.903879 [**] [117:1:1] (spp_portscan2) Portscan detected from 62.6.161.75: 1 targets 21 ports in 24 seconds [**] {TCP} 62.6.161.75:80 -> 192.168.0.100:33395 --- END --- and --- SCAN.LOG --- 10/09-21:17:21.903879 TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80 dport: 33395 tgts: 1 ports: 21 flags: ***A**S* event_id: 0 10/09-21:17:21.907279 TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80 dport: 33396 tgts: 1 ports: 22 flags: ***A**S* event_id: 51 10/09-21:17:21.910502 TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80 dport: 33397 tgts: 1 ports: 23 flags: ***A**S* event_id: 51 10/09-21:17:21.913687 TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80 dport: 33398 tgts: 1 ports: 24 flags: ***A**S* event_id: 51 10/09-21:17:21.917141 TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80 dport: 33399 tgts: 1 ports: 25 flags: ***A**S* event_id: 51 10/09-21:17:21.920222 TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80 dport: 33400 tgts: 1 ports: 26 flags: ***A**S* event_id: 51 10/09-21:17:21.925067 TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80 dport: 33401 tgts: 1 ports: 27 flags: ***A**S* event_id: 51 --- END --- This is very, very curious. My router is using NAT and does not forward traffic. So, how is it possible for an external host to reach ports on my working machine? If I understand NAT correctly, when LAN host contacts with an Internet host, an entry in the router is added to correlate the LAN source IP and port with the Internet destination IP and port, so, the Internet host can only communicate with (send packets back to) me. So, it's virtually impossible for the Internet host to access any ports other than the ones that are listed in the NAT table of the router. Isn't it? So let's say LAN computer 10.0.0.1:39000 contacts Internet host 62.0.0.1:80... The Internet host can only reach the LAN computer at port 39000, as this is the only entry listed on the router NAT table. So, based on the previous information, it seems that my web browser is connecting to an Internet host to download content (JPG, GIF, etc) very very fast, using new connections and thus, with sequentially increasing source ports. It seems that SNORT is taking this connections as a portscan attempt, but I think this is my web browser opening and closing HTTP connections against the web site very very fast. Also, since Internet source port is always 80, this leads me to think it's simply a lot of HTTP traffic coming and going between my Web browser and the Web site. Anybody can throw some light at this? Thanks! Best regards... ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort portscan false positives? Felipe Alfaro Solana (Oct 09)
- Re: Snort portscan false positives? Erek Adams (Oct 09)
- Re: Snort portscan false positives? Felipe Alfaro Solana (Oct 09)
- Re: Snort portscan false positives? Erek Adams (Oct 09)
- Re: Snort portscan false positives? Bob Van Cleef (Oct 10)
- Re: Snort portscan false positives? Felipe Alfaro Solana (Oct 09)
- Re: Snort portscan false positives? Erek Adams (Oct 09)
- <Possible follow-ups>
- RE: Snort portscan false positives? Beckett, Josh (Oct 09)