Snort mailing list archives
Re: TCP ******S* portscan
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 05 Apr 2002 18:07:47 -0500
Is the IP tables firewall running on a machine which is up-stream of snort (not on the same box or somewhere downstream)?
Just because your webserver filters packets doesn't mean snort running on your webserver, or some other machine, won't see them. Snort captures at the ethernet level, before iptables/ipchains/ipf filtering happens, which is also why it sees traffic not addressed to the machine it runs on. I run snort on a box which has an IPF rule to deny *everything* on that interface and snort picks up traffic going by just fine.
So, unless your snort is running downstream of the iptables firewall, don't worry, this is normal for snort to see. If snort is downstream, i.e. you have a computer with 2 ethernet interfaces using iptables prior to routing between them and snort is on the "inside" of that router, well, your iptables aren't doing what you expect.
In either event, it does mean that 195.186.255.2 did a sequential tcp portscan on your webserver.
At 11:31 PM 4/5/2002 -0100, Marcel Hauser wrote:
Hi everybody I'am new to Snort, and hopefully this is not in any faq i didn't read ;) Can someone please tell me how this could happen: (y.y.y.y is the internal IP Address of my webServer and i'am allowing only port 80 and 25 to that server from outside using iptables) Apr 5 15:50:56 195.186.255.2:3595 -> y.y.y.y:45428 SYN ******S* Apr 5 15:50:57 195.186.255.2:3596 -> y.y.y.y:45429 SYN ******S* Apr 5 15:50:58 195.186.255.2:3597 -> y.y.y.y:45430 SYN ******S* Apr 5 15:50:59 195.186.255.2:3598 -> y.y.y.y:45431 SYN ******S* Apr 5 15:50:59 195.186.255.2:3599 -> y.y.y.y:45432 SYN ******S* Apr 5 15:51:00 195.186.255.2:3600 -> y.y.y.y:45433 SYN ******S* Apr 5 15:51:01 195.186.255.2:3601 -> y.y.y.y:45434 SYN ******S* Apr 5 15:51:01 195.186.255.2:3602 -> y.y.y.y:45435 SYN ******S* Apr 5 15:51:41 195.186.255.2:3614 -> y.y.y.y:45440 SYN ******S* Apr 5 15:51:42 195.186.255.2:3615 -> y.y.y.y:45441 SYN ******S* Apr 5 15:51:43 195.186.255.2:3616 -> y.y.y.y:45442 SYN ******S* Apr 5 15:51:44 195.186.255.2:3617 -> y.y.y.y:45443 SYN ******S* Apr 5 15:51:44 195.186.255.2:3618 -> y.y.y.y:45444 SYN ******S* Apr 5 15:51:44 195.186.255.2:3619 -> y.y.y.y:45445 SYN ******S* Apr 5 15:51:45 195.186.255.2:3620 -> y.y.y.y:45446 SYN ******S* Apr 5 15:51:46 195.186.255.2:3621 -> y.y.y.y:45448 SYN ******S* Apr 5 15:52:08 195.186.255.2:3630 -> y.y.y.y:80 SYN ******S* Apr 5 15:52:08 195.186.255.2:3631 -> y.y.y.y:80 SYN ******S* Apr 5 15:52:40 195.186.255.2:3635 -> y.y.y.y:80 SYN ******S* Apr 5 15:53:00 195.186.255.2:3638 -> y.y.y.y:80 SYN ******S* Apr 5 15:53:00 195.186.255.2:3641 -> y.y.y.y:80 SYN ******S* Thanks in andvance Cheers Marcel _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Hauser Marcel (Apr 05)
- Message not available
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan "SOLVED" Marcel Hauser (Apr 06)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Ricardo SIGNES (Apr 05)
- <Possible follow-ups>
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)
- RE: TCP ******S* portscan Hauser Marcel (Apr 05)
- RE: TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Chris Keladis (Apr 05)
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)