Snort mailing list archives
RE: RV: portscan
From: "Petriz, Pablo" <ppetriz () siscat com ar>
Date: Mon, 3 Jun 2002 11:44:42 -0300
I'm not using Nessus right now. I wonder if the originator PC is infected with some worm that generates that traffic... PABLO
-----Mensaje original----- De: Hugo Ferr [mailto:snortgrp () hotmail com] Enviado el: viernes 31 de mayo de 2002 04:05 Para: Petriz, Pablo; snort-users () lists sourceforge net Asunto: Re: [Snort-users] RV: portscan SYN and VECNA entries.....I've seen them a lot when I was doing Nessus scans from inside my network to outside. Do you have Nessus running on your network? ----- Original Message ----- From: "Petriz, Pablo" <ppetriz () siscat com ar> To: <snort-users () lists sourceforge net> Sent: Friday, May 31, 2002 2:04 PM Subject: [Snort-users] RV: portscanPlease. Can someone answer this? Tell me if you need more info. TIA PABLO-----Mensaje original----- De: Petriz, Pablo Enviado el: jueves 30 de mayo de 2002 04:40 Para: 'snort-users () lists sourceforge net' Asunto: portscan Hello list! My Snort 1.8.6 (RH 7.2)is monitoring a DMZ between 2private networks.At DMZ we have Apache + SCO Tarantella and a MS Terminal Server to share an application. I have various connections working well and today we were bringing up a new connection when Snort detects a portscan from the PC (Win98) we were working. The bring up job consists on pointing the browser to the site at the DMZand then loginto Tarantella, so what can be the cause of the portscanfrom that PC?portscan.log shows entries to port 80 (apache)and 3144(tarantella)Here are the alert and portscan.log files. Thank you!!! PABLO alert ===== [**] [100:1:1] <eth1> spp_portscan: PORTSCAN DETECTED on eth1 to port 80 from x.x.x.x (STEALTH) [**] 05/30-13:21:40.010817 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 05/30-13:22:41.428323 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:22:47.311326 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 05/30-13:25:19.802265 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**] 05/30-13:29:04.070375 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:30:36.666846 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:30:40.024516 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 05/30-13:30:44.383457 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:34:34.340470 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:35:06.263163 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:35:16.842867 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:35:35.662691 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 05/30-13:37:11.728234 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:37:58.647353 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**] 05/30-13:38:10.834317 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:39:09.880222 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:39:31.116911 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:39:51.451081 [**] [100:2:1] <eth1> spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/30-13:44:02.704023 [**] [100:3:1] <eth1> spp_portscan: End of portscan from x.x.x.x: TOTAL time(1093s) hosts(1) TCP(24) UDP(0) STEALTH [**] 05/30-13:44:07.835669 portscan.log ============ May 30 13:22:41 x.x.x.x:1099 -> y.y.y.y:80 SYN ******S* May 30 13:21:39 x.x.x.x:1097 -> y.y.y.y:80 VECNA 1***P**F May 30 13:22:47 x.x.x.x:1100 -> y.y.y.y:3144 SYN ******S* May 30 13:25:19 x.x.x.x:1102 -> y.y.y.y:80 SYN ******S* May 30 13:22:49 x.x.x.x:1101 -> y.y.y.y:80 NOACK *****RSF May 30 13:25:20 x.x.x.x:1103 -> y.y.y.y:3144 SYN ******S* May 30 13:29:04 x.x.x.x:1104 -> y.y.y.y:80 SYN ******S* May 30 13:30:36 x.x.x.x:1106 -> y.y.y.y:80 SYN ******S* May 30 13:30:40 x.x.x.x:1107 -> y.y.y.y:80 SYN ******S* May 30 13:30:44 x.x.x.x:1106 -> y.y.y.y:80 NOACK ****P*S* May 30 13:30:43 x.x.x.x:1107 -> y.y.y.y:80 VECNA 12U***** May 30 13:34:34 x.x.x.x:1112 -> y.y.y.y:80 SYN ******S* May 30 13:35:06 x.x.x.x:1115 -> y.y.y.y:80 SYN ******S* May 30 13:35:16 x.x.x.x:1116 -> y.y.y.y:80 SYN ******S* May 30 13:35:35 x.x.x.x:1118 -> y.y.y.y:3144 SYN ******S* May 30 13:35:36 x.x.x.x:1116 -> y.y.y.y:80 VECNA **U***** May 30 13:37:11 x.x.x.x:1121 -> y.y.y.y:80 SYN ******S* May 30 13:37:58 x.x.x.x:1125 -> y.y.y.y:80 SYN ******S* May 30 13:37:59 x.x.x.x:1126 -> y.y.y.y:80 SYN ******S* May 30 13:38:10 x.x.x.x:1128 -> y.y.y.y:3144 SYN ******S* May 30 13:39:09 x.x.x.x:1130 -> y.y.y.y:80 SYN ******S* May 30 13:39:31 x.x.x.x:1131 -> y.y.y.y:80 SYN ******S* May 30 13:39:51 x.x.x.x:1135 -> y.y.y.y:80 SYN ******S* May 30 13:39:52 x.x.x.x:1137 -> y.y.y.y:80 SYN ******S*_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas --http://devcon.sprintpcs.com/adp/index.cfm_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RV: portscan Petriz, Pablo (May 31)
- Re: RV: portscan Hugo Ferr (May 31)
- <Possible follow-ups>
- RE: RV: portscan Petriz, Pablo (Jun 03)