Snort mailing list archives
Re: is there anyway of stoping this?
From: Neil Dickey <neil () geol niu edu>
Date: Thu, 31 May 2001 12:22:52 -0500 (CDT)
"Ben Johansen" <benj () intelisoft net> wrote asking:
I have looked at whitehats.com and found not direct reference to this portscan
[ ... Snip ... ]
Can it be stopped? Is there a hole I have missed?
Hello, Ben. Welcome aboard. These log traces are generated by the portscan preprocessor, not by one of the rules in the ruleset. It's been my experience that they are generated by incoming TCP packets that have the so-called "reserved bits" set. You may know that TCP packets commonly have flags set, SYN, ACK, FIN, and the like, to indicate what part they are playing in the TCP connection. There are two bits left over after all the flags have been accomodated, and these are the "reserved bits." Having them set on incoming packets *may* be an indication of suspicious behavior, but isn't *necessarily* so. Some types of scans will set these bits and see how your OS responds to them, for instance, as a means of helping figure out exactly what OS it is you're running. My own post of an hour or so ago has an example of my web daemon apparently sending out packets with the reserved bits set, and I can categorically state that this is done in all innocence. Can it be stopped? No. You can make the log trace go away by disabling the portscan preprocessor, but I don't recommend that. ;-) Is there a hole you have missed? The fact that you are getting these entries doesn't mean you have a hole in your defenses. It may mean that someone is scanning you to find out what you are and whether or not you might make a good target, or it may mean nothing at all. Keep an eye on the source IP of these alerts, and see if you can any patterns develop. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- is there anyway of stoping this? Ben Johansen (May 31)
- Re: is there anyway of stoping this? Ryan Russell (May 31)
- <Possible follow-ups>
- Re: is there anyway of stoping this? roman (May 31)
- Re: is there anyway of stoping this? Neil Dickey (May 31)