Security Incidents mailing list archives

Re: Port-scans from visited web-sites?

From: Erich.Meier () INFORMATIK UNI-ERLANGEN DE (Erich Meier)
Date: Sat, 10 Jun 2000 16:12:11 +0200


On Thu, Jun 08, 2000 at 03:58:24PM -0400, Greg A. Woods wrote:

[ On Wednesday, June 7, 2000 at 14:19:28 (+0100), Peter Bates wrote: ]

Subject: Port-scans from visited web-sites?

Jun  7 13:27:01 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTED from 206.251.0.173
Jun  7 13:27:14 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections 
across 1 hosts: TCP(1), UDP(0) STEALTH
Jun  7 13:27:19 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173
Jun  7 13:30:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTED from 206.251.0.173
Jun  7 13:30:58 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections 
across 1 hosts: TCP(1), UDP(0) STEALTH
Jun  7 13:31:04 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173
Jun  7 13:32:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTED from 206.251.0.173
Jun  7 13:32:59 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections 
across 1 hosts: TCP(1), UDP(0) STEALTH
Jun  7 13:33:06 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173

using snort, obviously, and generated from
our machine that acts as our site 'web-cache/proxy'...
this was followed by about 3/4 other similar 'scans'
acknowledged by snort...


Snort is on drugs, I think.  It's promulgating paranoia.

First off it's obviously not likely a scan.  It might be a probe for
something, but unless your network neighbours are being probed similarly
it's not a "scan" of any kind.


The is snort's portscan preprocessor that alerts on the reception of every
single "stealth packet" (packet that could belong to a stealth scan). Therefore
snort functions properly without any drug usage (except for a few snort
developers drinking a pint of peer or two :-).

What is causing these packets is "packet noise", i.e. header corruption. I
see these kind of packets mostly during gnutella sessions of my users. I
guess, that most of the gnutella users sit behind lousy dialin connections
that cause the noise.

Where the heck is the destination port number of this supposed
connection?  How does snort *know* it's a "STEALTH" connection?


All that info is logged to the portscan.log file. You can see the TCP flags
that caused the alarm there, too.

Erich

--
Erich Meier                              Erich.Meier () informatik uni-erlangen de
                                 http://www4.informatik.uni-erlangen.de/~meier/

Current thread:

What is this guy doing?, (continued)
- - - What is this guy doing? Josh Burroughs (Jun 05)
    - Re: What is this guy doing? Sebastien Reister (Jun 08)
    - AW: What is this guy doing? Peter Roth (Jun 08)
    - Port 6347 Dante Mercurio (Jun 08)
    - Re: Port 6347 Brian Macke (Jun 08)
    - Re: Port 6347 Henry F. Marquardt (Jun 09)
    - Re: What is this guy doing? Greg A. Woods (Jun 08)
    - Port-scans from visited web-sites? Peter Bates (Jun 07)
    - Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
    - Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
    - Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
    - scan log Max Gribov (Jun 11)
    - Re: scan log Jason Witty (Jun 12)
    - FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
    - Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
    - Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
    - port 12345 scanning Luke Dudney (Jun 11)
    - Protocol 54 M J (Jun 07)
    - Re: very strange scan patterns Ejovi Nuwere (Jun 07)
    - hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
    - Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)

(Thread continues...)