Snort mailing list archives

Re: (no subject)

From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 08 Jan 2002 23:15:20 -0500

You can turn this off by removing the "detect_scans" from the
"preprocessor stream4" directive in the snort.conf file.

     -Marty

Peter Charbonneau wrote:


Lets try this again ....

I also have a "local" installation on my XP workstation.  My local
installation picked up the alerts below, but my IP address is NEITHER
148.63.230.175 nor 137.165.38.56.

The 1.7.x NIDS does not show the Vecna Scan - no rule for it;  I am on a
totally switched network - my question is HOW IN THE HECK CAN MY HIDS SEE
THIS SCAN?

I have googled "vecna scan" and haven't come up with anything of import.
Can anyone point me in the right direction to solve this?

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:25:19.741535 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:5343 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:25:59.179763 148.63.230.175:2113 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:65197 IpLen:20 DgmLen:349 DF
****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:26:05.589014 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:19737 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:26:12.408611 148.63.230.175:2053 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:36487 IpLen:20 DgmLen:349 DF
****P*** Seq: 0xF120700A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:27:05.304106 148.63.230.175:2113 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:56639 IpLen:20 DgmLen:349 DF
****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:27:11.596751 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:7629 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:27:16.472016 148.63.230.175:2053 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:23699 IpLen:20 DgmLen:349 DF
****P*** Seq: 0xF120700A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:28:08.622985 148.63.230.175:2113 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:35911 IpLen:20 DgmLen:349 DF
****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:28:15.073440 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:57099 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:28:20.945437 148.63.230.175:2053 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:8539 IpLen:20 DgmLen:349 DF
****P*** Seq: 0xF120700A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:29:10.365906 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:62989 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:29:12.687532 148.63.230.175:2113 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:1307 IpLen:20 DgmLen:349 DF
****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:29:18.634989 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:30529 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:30:15.215808 148.63.230.175:2113 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:18431 IpLen:20 DgmLen:349 DF
****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:30:16.428840 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:14973 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:30:21.724133 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:38547 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:31:18.268895 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:18147 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:31:19.167145 148.63.230.175:2113 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:20909 IpLen:20 DgmLen:349 DF
****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:31:25.719371 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:39671 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:32:22.207560 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:57997 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:32:29.765880 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:13131 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:33:28.357172 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:41075 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:33:36.270953 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:61835 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:34:30.446340 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:6295 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:34:39.058317 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:26603 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:35:36.313847 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:55721 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:35:41.710352 148.63.230.175:2187 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:9657 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:36:38.339457 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:57215 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:37:42.341166 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:45717 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

[**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
01/07/02-02:38:48.717381 148.63.230.175:2238 -> 137.165.38.56:1214
TCP TTL:116 TOS:0x0 ID:14965 IpLen:20 DgmLen:349 DF
****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20

PeteC

Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (desk)
(413) 822-2922 (cell)
(209) 391-9821 (fax)

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Peter Charbonneau (Jan 07)
- Re: (no subject) John Sage (Jan 07)
- Re: (no subject) Martin Roesch (Jan 08)
- <Possible follow-ups>
- RE: (no subject) Lodin, Steven {GZ-Q~Mannheim} (Jan 07)
- (no subject) J.M. Cocchini (Jan 09)
- RE: (no subject) John Rodley (Jan 09)
- (no subject) charley pfaff (Jan 15)
  - Re: (no subject) Saad Kadhi (Jan 15)
- (no subject) noorulsadiqin azbiya (Jan 15)
  - Re: (no subject) Ian Masters (Jan 16)
  - Remote collection of data from a Snort sensor in stealth mode Ian Masters (Jan 16)
    - Re: Remote collection of data from a Snort sensor in stealth mode Ian Masters (Jan 16)
    - Re: Remote collection of data from a Snort Guillaume (Jan 16)

(Thread continues...)