Snort mailing list archives
Re: Re: Snort Logs [HITCON VIRUS CHECK: OK]
From: Maik.Linnemann () hitcon de
Date: Thu, 3 Jun 2004 14:29:09 +0200
Thats absolutely right, but now I found out that or rather i forget that i have a squid proxy on one location which is used by the whole domain. the start site of the users computer is the one on my webserver. so whenever someone open its browser the squid attempts a connection to my webserver. if a lot of users open their browser it might be what you told in your mail!? but what i dont understand is: look at these two log files: atum: 06/03 11:46:02 Name: (spp_portscan2) Portscan detected from 195.202.xx.xx: 1 targets 21 ports in 46 seconds Priorität: n/a Typ: n/a IP-Info: 195.202.xx.xx:80 -> 217.95.238.230:33551 Referenz: nichts gefunden SID: n/a in this one above the adress of my webserver:80 scans to an adress:33551 SOMEWHERE........why? and in this one: my webserver:80 scans to MY netadress:35015 - this could be the proxy problem!? Datum: 06/03 11:56:05 Name: (spp_portscan2) Portscan detected from 195.202.xx.xx: 2 targets 21 ports in 14 seconds Priorität: n/a Typ: n/a IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:35015 Referenz: nichts gefunden SID: n/a i am really confused!!! "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner An @baesystems.com> <Maik.Linnemann () hitcon de>, <snort-users () lists sourceforge net 03.06.2004 14:00 > Kopie Thema RE: [Snort-users] Snort Logs [HITCON VIRUS CHECK: OK] That is pretty typical of a webserver. A client browser will open multiple connections to the server, purhaps to download many images concurrently. Snort will then see the server sending data back to multiple ports on the client. This can trigger the port scan mechanism. -----Original Message----- From: snort-users-admin () lists sourceforge net on behalf of Maik.Linnemann () hitcon de Sent: Thu 06/03/2004 06:37 AM To: snort-users () lists sourceforge net Cc: Subject: [Snort-users] Snort Logs [HITCON VIRUS CHECK: OK] Today i checked my logfiles and found real strange things in my IDS logs - i found this: Datum: 05/24 08:41:30 Name: (spp_portscan2) Portscan detected from 195.202.xx.xx: 1 targets 21 ports in 57 seconds Priorität: n/a Typ: n/a IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:60847 Referenz: nichts gefunden SID: n/a Datum: 05/24 09:10:04 Name: (spp_portscan2) Portscan detected from 195.202.xx.xx: 1 targets 21 ports in 2 seconds Priorität: n/a Typ: n/a IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:33149 Referenz: nichts gefunden SID: n/a Datum: 05/24 09:11:22 Name: (spp_portscan2) Portscan detected from 195.202.xx.xx: 1 targets 21 ports in 18 seconds Priorität: n/a Typ: n/a IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:33281 Referenz: nichts gefunden SID: n/a First of all: both of the adresses belong to me!!!!! The one out of port 80 is my mail server and a webserver is also running on that machine. the other one (targeted on 33281) is also mine on a second location.... they're connected via VPN......but as you see, they use the external ip adresses, so i guess it doesnt come from the inside of my nets... im really not so deep into snort, so if anyone could explain a little bit what it could be - that would be great!!!! what shall i do now? i havent done a port scan!???? What do you think? HITCON AG Maik Linnemann Gartenstrasse 208 48147 Münster 0251/2801-206 (Phone) 0251/2801-280 (Fax) 0170/6364123 (Mobil) Mail: info () hitcon de http://www.hitcon.de ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users HITCON AG Maik Linnemann Gartenstrasse 208 48147 Münster 0251/2801-206 (Phone) 0251/2801-280 (Fax) 0170/6364123 (Mobil) Mail: info () hitcon de http://www.hitcon.de ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Logs [HITCON VIRUS CHECK: OK] Maik . Linnemann (Jun 03)
- <Possible follow-ups>
- RE: Snort Logs [HITCON VIRUS CHECK: OK] Miner, Jonathan W (CSC) (US SSA) (Jun 03)
- Re: Re: Snort Logs [HITCON VIRUS CHECK: OK] Maik . Linnemann (Jun 03)