Snort mailing list archives

Re: is there anyway of stoping this?

From: Neil Dickey <neil () geol niu edu>
Date: Thu, 31 May 2001 12:22:52 -0500 (CDT)


"Ben Johansen" <benj () intelisoft net> wrote asking:

I have looked at whitehats.com and found not direct reference to this
portscan

[ ... Snip ... ]

Can it be stopped?
Is there a hole I have missed?


Hello, Ben.  Welcome aboard.

These log traces are generated by the portscan preprocessor, not by one
of the rules in the ruleset.  It's been my experience that they are
generated by incoming TCP packets that have the so-called "reserved bits"
set.  You may know that TCP packets commonly have flags set, SYN, ACK, FIN,
and the like, to indicate what part they are playing in the TCP connection.
There are two bits left over after all the flags have been accomodated, and
these are the "reserved bits."

Having them set on incoming packets *may* be an indication of suspicious
behavior, but isn't *necessarily* so.  Some types of scans will set these
bits and see how your OS responds to them, for instance, as a means of
helping figure out exactly what OS it is you're running.  My own post of
an hour or so ago has an example of my web daemon apparently sending out
packets with the reserved bits set, and I can categorically state that this
is done in all innocence.

Can it be stopped?  No.  You can make the log trace go away by disabling
the portscan preprocessor, but I don't recommend that.  ;-)  Is there a
hole you have missed?  The fact that you are getting these entries doesn't
mean you have a hole in your defenses.  It may mean that someone is scanning
you to find out what you are and whether or not you might make a good target,
or it may mean nothing at all.

Keep an eye on the source IP of these alerts, and see if you can any patterns
develop.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

is there anyway of stoping this? Ben Johansen (May 31)
- Re: is there anyway of stoping this? Ryan Russell (May 31)
- <Possible follow-ups>
- Re: is there anyway of stoping this? roman (May 31)
- Re: is there anyway of stoping this? Neil Dickey (May 31)