Snort mailing list archives

RE: Snort Logs [HITCON VIRUS CHECK: OK]

From: "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>
Date: Thu, 3 Jun 2004 08:00:38 -0400

That is pretty typical of a webserver.  A client browser will open multiple connections to the server, purhaps to 
download many images concurrently. Snort will then see the server sending data back to multiple ports on the client. 
This can trigger the port scan mechanism.

-----Original Message-----
From:   snort-users-admin () lists sourceforge net on behalf of Maik.Linnemann () hitcon de
Sent:   Thu 06/03/2004 06:37 AM
To:     snort-users () lists sourceforge net
Cc:     
Subject:        [Snort-users] Snort Logs [HITCON VIRUS CHECK: OK]

Today i checked my logfiles and found real strange things in my IDS logs -
i found this:

Datum: 05/24 08:41:30 Name: (spp_portscan2) Portscan detected from
195.202.xx.xx: 1 targets 21 ports in 57 seconds
Priorität: n/a Typ: n/a
IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:60847
Referenz: nichts gefunden SID: n/a

Datum: 05/24 09:10:04 Name: (spp_portscan2) Portscan detected from
195.202.xx.xx: 1 targets 21 ports in 2 seconds
Priorität: n/a Typ: n/a
IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:33149
Referenz: nichts gefunden SID: n/a

Datum: 05/24 09:11:22 Name: (spp_portscan2) Portscan detected from
195.202.xx.xx: 1 targets 21 ports in 18 seconds
Priorität: n/a Typ: n/a
IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:33281
Referenz: nichts gefunden SID: n/a

First of all: both of the adresses belong to me!!!!! The one out of port 80
is my mail server and a webserver is also running on that machine. the
other one (targeted on 33281) is also mine on a second location.... they're
connected via VPN......but as you see, they use the external ip adresses,
so i guess it doesnt come from the inside of my nets...
im really not so deep into snort, so if anyone could explain a little bit
what it could be - that would be great!!!!

what shall i do now? i havent done a port scan!???? What do you think?

HITCON AG
Maik Linnemann
Gartenstrasse 208
48147 Münster
0251/2801-206 (Phone)
0251/2801-280 (Fax)
0170/6364123 (Mobil)
Mail: info () hitcon de
http://www.hitcon.de

-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Logs [HITCON VIRUS CHECK: OK] Maik . Linnemann (Jun 03)
- <Possible follow-ups>
- RE: Snort Logs [HITCON VIRUS CHECK: OK] Miner, Jonathan W (CSC) (US SSA) (Jun 03)
- Re: Re: Snort Logs [HITCON VIRUS CHECK: OK] Maik . Linnemann (Jun 03)