Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SNORT3 - (port_scan) TCP portsweep

From: Christian Leclerc <christian.leclerc () sphere3solutions com>
Date: Mon, 8 Jul 2019 16:09:39 -0400
Hello group,
I have a LOT of this (port_scan) TCP portsweep alert in my logs which are
looking a lots like false positive.

172.217.10.78:443 -> xx.37.xx.58:58622 (port_scan) TCP portsweep
xx.37.xx.58:53827 -> 157.240.14.10:443 (port_scan) TCP portsweep
xx.37.xx.57:30552 -> 185.176.27.242:49361 (port_scan) TCP portsweep
xx.37.xx.58:61077 -> 54.152.8.15:443 (port_scan) TCP portsweep
23.52.164.32:443  -> xx.37.xx.58:61034 (port_scan) TCP portsweep
xx.37.xx.58:61039 -> 99.86.231.159:443 (port_scan) TCP portsweep

I looked at the packet it self and the data is looking like this :

snort.raw[72]:
- -   - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
%04.4X  000 17 10 8E 47 07 AC F1  DF 5F D1 28 08 00 45 00        ....71...
.95.40..69.
%04.4X  1600 14 29 9F 00 B9 3F 11  7A 53 18 25 6B 3A A3 B6      ..41...63.
12283.3710758..
%04.4X  32AF F2 1F 2F 15 EB 46 7A  D6 9B EC 7A 2D F6 6E 73   ...47..70122
...12245.110115
%04.4X  48B0 79 D9 94 0F 15 96 CC  EE A4 AF 63 02 51 94 B4    .121......
...99.81..
%04.4X  6429 DC 19 6B D3 60 6B CF
  41..107.96107.
- -   - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

========================================================================

snort.raw[60]:
- -   - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
%04.4X  0AC F1 DF 5F D1 28 00 17  10 8E 47 07 08 00 45 00  ...95.40..
..71...69.
%04.4X  1600 2C 2A 47 40 00 39 11  0B 4A C0 60 C8 70 18 25  .44427164.57.
.74.96.112.37
%04.4X  326B 3A A5 1A E5 5C 00 18  3B 2D 7E 2A 9D 0C 40 D0  10758...92..
594512642..64.
%04.4X  4840 CA 3D 2D 48 2D 40 E4  CA D8 00 00              64.6145724564.
....
- -   - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

I am wondering is the scanning pre-processor is buggy or if it's me that is
doing something wrong in my plugin ?

Is anybody else has the same problem ?

Any help would be interesting here because I don't want to get rid of this
has it could be legitimate at some point in time.

Cheers,

Christian Leclerc, CSSLP, CEH, OCMJEA, OCPJBCD, SCJP, ZCE
christian.leclerc () sphere3solutions com

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: