Snort mailing list archives
Re: portscan log...
From: "Edwin Pua" <edwin1118 () hotmail com>
Date: Thu, 31 Jan 2002 06:45:46 +0000
Hi Joe,ok thanx for the explanation..but how am i gonna know that he was already connected to my tcp port? or i was being attacked/hacked by this source ip? i'm using the default rules in my snort box.
rgds, edwin
From: Joe McAlerney <joey () SiliconDefense com> To: Edwin Pua <edwin1118 () hotmail com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] portscan log... Date: Wed, 30 Jan 2002 18:34:13 -0800 Hi Edwin, It means the portscanner used TCP packets with only the SYN bit set. These packets are used to initiate TCP connections. The person is presumably looking for TCP services running on your box. For more information on the portscan plugin, take a look at: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.4.3 -Joe M. -- Joe McAlerney Software Developer / Security Consultant joey () SiliconDefense com Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/ Edwin Pua wrote: > > Hi, > > I saw this message under my portscan.log file and I know that this > source ip 137.132.83.218 is scanning my ip 211.156.185.143 but what is > SYN*****S* means? > > Jan 29 18:52:34 137.132.83.218:1999 -> 211.156.185.143:3372 SYN ******S* > Jan 29 18:52:34 137.132.83.218:2000 -> 211.156.185.143:3373 SYN ******S* > Jan 29 18:52:35 137.132.83.218:2003 -> 211.156.185.143:3376 SYN ******S* > Jan 29 18:52:36 137.132.83.218:2004 -> 211.166.185.143:3377 SYN ******S* > Jan 29 18:52:36 137.132.83.218:2005 -> 211.166.185.143:3378 SYN ******S* > Jan 29 18:52:37 137.132.83.218:2006 -> 211.166.185.143:3379 SYN ******S* > Jan 29 18:52:37 137.132.83.218:2007 -> 211.166.185.143:3380 SYN ******S* > Jan 29 18:52:38 137.132.83.218:2008 -> 211.166.185.143:3381 SYN ******S* > Jan 29 18:52:38 137.132.83.218:2010 -> 211.166.185.143:3383 SYN ******S* > Jan 29 18:52:39 137.132.83.218:2011 -> 211.166.185.143:3384 SYN ******S* > Jan 29 18:52:39 137.132.83.218:2012 -> 211.166.185.143:3385 SYN ******S* > Jan 29 18:52:40 137.132.83.218:2014 -> 211.166.185.143:3387 SYN ******S* > > rgds, > edwin > > _________________________________________________________________ > Chat with friends online, try MSN Messenger: http://messenger.msn.com > > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan log... Edwin Pua (Jan 30)
- Re: portscan log... Joe McAlerney (Jan 30)
- Re: portscan log... Demetri Mouratis (Jan 31)
- <Possible follow-ups>
- Re: portscan log... Edwin Pua (Jan 30)
- Re: portscan log... John Sage (Jan 31)
- Re: portscan log... Joe McAlerney (Jan 31)
- Re: portscan log... Edwin Pua (Feb 01)