Snort mailing list archives
RE: Portscan 2 question
From: Soren Macbeth <smacbeth () atc-nycorp com>
Date: Thu, 24 Oct 2002 14:32:59 -0400
I'm not sure about the udp dport 27160 stuff. Are you running some application on that port? Its all traffic to on particular host. You may want to check into that. The second one is definitely benign web browsing. //soren -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Thursday, October 24, 2002 2:26 PM To: Soren Macbeth Cc: Snort-List Subject: RE: [Snort-users] Portscan 2 question Here is what I found in that scan.log file for the 2 dest IP's... Instance 1> 10/17-14:29:25.712618 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525 10/18-12:05:07.946026 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1641 dport: 27160 tgts: 9 ports: 130 event_id: 400 10/18-13:22:24.504843 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 2804 dport: 27160 tgts: 8 ports: 121 event_id: 433 10/18-13:33:27.113376 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 3782 dport: 27160 tgts: 9 ports: 139 event_id: 450 10/18-13:36:00.675879 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 4825 dport: 27160 tgts: 10 ports: 158 event_id: 458 10/18-14:52:00.545930 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021 10/18-19:04:12.292185 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161 10/19-12:38:43.719170 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417 10/19-19:16:04.828533 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585 10/19-19:41:53.321697 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600 10/19-21:13:32.829862 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639 10/22-14:51:35.899289 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33952 dport: 27160 tgts: 3 ports: 21 event_id: 0 Instance 2> 10/23-11:17:52.681476 TCP src: <INTERNALIP> dst: 206.65.183.110 sport: 1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0 What do you think? Thanks Joe On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
Looks at the ports that portscan2 reported. Sometime clients browsing websites cause portscan2 to trigger based on the fact that some browsers initiate a new connection (and thus, new port) for each image. If you haven't change the config, there should be a scan.log file in your snort
log
directory which will have more info. //soren -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. Thanks Joe ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this a valid rule?, (continued)
- Is this a valid rule? Lefevre, Steven (Oct 24)
- Re: Is this a valid rule? Alberto Gonzalez (Oct 24)
- Re: Portscan 2 question Robby Desmond (Oct 24)
- Re: Portscan 2 question Joe Giles (Oct 24)
- Re: Portscan 2 question Joe Giles (Oct 24)
- Re: Portscan 2 question Gary Verhulp (Oct 24)
- Message not available
- Re: Portscan 2 question Joe Giles (Oct 24)
- Is this a valid rule? Lefevre, Steven (Oct 24)
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Soren Macbeth (Oct 24)
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Soren Macbeth (Oct 24)
- RE: Portscan 2 question Hicks, John (Oct 24)
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Brian F. Vaughan (Oct 24)