Snort mailing list archives
Re: portscan2 and conversation
From: "Denny Page" <denny () cococafe com>
Date: Tue, 16 Sep 2003 11:27:15 -0700
If any one is interested, this turns out to be a defect in spp_conversation. If you are seeing hundreds or thousands of SYN/ACK entries in the scan log like so: 09/13-18:38:17.928330 TCP src: X.X.X.X dst: X.X.X.X sport: 80 dport: X tgts: 1 ports: 150 flags: ***A**S* event_id: 482 This is due to a defect in spp_conversation.c. A patch has been submitted. Denny ----- Original Message ----- From: "Denny Page" <denny () cococafe com> To: "Snort Users" <snort-users () lists sourceforge net> Sent: Saturday, September 13, 2003 16:02 Subject: [Snort-users] portscan2 and conversation
Ok, dumb question time. I have portscan2 set up to ignore hosts from my local network. This
appears
to work fine for both TCP and UDP. I.E. no alerts from DNS activity, and
no
alerts from nmaps within the network. Nmaps from outside the network trigger alerts as you would expect. This is all desirable. What is not desirable is that alerts are being triggered by outbound HTTP requests. When visiting a site that is comprised of many individual files such as graphic navigation bars (www.securityfocus.com is one such) , portscan2 reports that the remote HTTP server is executing a portscan on
the
machine running the browser. Portscan2 appears to be triggering on the inbound SYN-ACK that the HTTP server sends in response to the SYN from the browser. Since the SYN-ACK
is
being in response to a connection (conversation) initiated by a portscan2 ignored host, I would not expect it to trigger an alert. Isn't this what conversation is for? Am I missing something, or is portscan2 goofy? Thanks for any assistance, Denny ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan2 and conversation Denny Page (Sep 13)
- Re: portscan2 and conversation Denny Page (Sep 16)
- <Possible follow-ups>
- RE: portscan2 and conversation Kreimendahl, Chad J (Sep 15)
- Snort don't detect any attack Adriano Frare (Sep 15)