Snort mailing list archives

Re: TCP ******S* portscan

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 05 Apr 2002 18:07:47 -0500

Is the IP tables firewall running on a machine which is up-stream of snort(not on the same box or somewhere downstream)?

Just because your webserver filters packets doesn't mean snort running onyour webserver, or some other machine, won't see them. Snort captures atthe ethernet level, before iptables/ipchains/ipf filtering happens, whichis also why it sees traffic not addressed to the machine it runs on. I runsnort on a box which has an IPF rule to deny *everything* on that interfaceand snort picks up traffic going by just fine.

So, unless your snort is running downstream of the iptables firewall, don'tworry, this is normal for snort to see. If snort is downstream, i.e. youhave a computer with 2 ethernet interfaces using iptables prior to routingbetween them and snort is on the "inside" of that router, well, youriptables aren't doing what you expect.

In either event, it does mean that 195.186.255.2 did a sequential tcpportscan on your webserver.




At 11:31 PM 4/5/2002 -0100, Marcel Hauser wrote:

Hi everybody

I'am new to Snort, and hopefully this is not in any faq i didn't read ;)

Can someone please tell me how this could happen:
(y.y.y.y is the internal IP Address of my webServer and i'am allowing only
port 80 and 25 to that server from outside using iptables)

Apr 5 15:50:56 195.186.255.2:3595 -> y.y.y.y:45428 SYN ******S*
Apr 5 15:50:57 195.186.255.2:3596 -> y.y.y.y:45429 SYN ******S*
Apr 5 15:50:58 195.186.255.2:3597 -> y.y.y.y:45430 SYN ******S*
Apr 5 15:50:59 195.186.255.2:3598 -> y.y.y.y:45431 SYN ******S*
Apr 5 15:50:59 195.186.255.2:3599 -> y.y.y.y:45432 SYN ******S*
Apr 5 15:51:00 195.186.255.2:3600 -> y.y.y.y:45433 SYN ******S*
Apr 5 15:51:01 195.186.255.2:3601 -> y.y.y.y:45434 SYN ******S*
Apr 5 15:51:01 195.186.255.2:3602 -> y.y.y.y:45435 SYN ******S*
Apr 5 15:51:41 195.186.255.2:3614 -> y.y.y.y:45440 SYN ******S*
Apr 5 15:51:42 195.186.255.2:3615 -> y.y.y.y:45441 SYN ******S*
Apr 5 15:51:43 195.186.255.2:3616 -> y.y.y.y:45442 SYN ******S*
Apr 5 15:51:44 195.186.255.2:3617 -> y.y.y.y:45443 SYN ******S*
Apr 5 15:51:44 195.186.255.2:3618 -> y.y.y.y:45444 SYN ******S*
Apr 5 15:51:44 195.186.255.2:3619 -> y.y.y.y:45445 SYN ******S*
Apr 5 15:51:45 195.186.255.2:3620 -> y.y.y.y:45446 SYN ******S*
Apr 5 15:51:46 195.186.255.2:3621 -> y.y.y.y:45448 SYN ******S*
Apr 5 15:52:08 195.186.255.2:3630 -> y.y.y.y:80 SYN ******S*
Apr 5 15:52:08 195.186.255.2:3631 -> y.y.y.y:80 SYN ******S*
Apr 5 15:52:40 195.186.255.2:3635 -> y.y.y.y:80 SYN ******S*
Apr 5 15:53:00 195.186.255.2:3638 -> y.y.y.y:80 SYN ******S*
Apr 5 15:53:00 195.186.255.2:3641 -> y.y.y.y:80 SYN ******S*

Thanks in andvance

Cheers Marcel

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
  - Re: TCP ******S* portscan Hauser Marcel (Apr 05)
  - Message not available
    - Re: TCP ******S* portscan Matt Kettler (Apr 05)
    - Re: TCP ******S* portscan "SOLVED" Marcel Hauser (Apr 06)
- Re: TCP ******S* portscan Ricardo SIGNES (Apr 05)
- <Possible follow-ups>
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)
  - RE: TCP ******S* portscan Hauser Marcel (Apr 05)
  - RE: TCP ******S* portscan Marcel Hauser (Apr 05)
    - Re: TCP ******S* portscan Chris Keladis (Apr 05)
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)