Re: TCP ******S* portscan

[Chris Keladis <Chris.Keladis () cmc cwo net au>]

Marcel Hauser wrote:

> Quoting Andrew Blevins <ABlevins () arrowheadgrp com>:
>
> > This is a SYN scan, with sets a flag that some firewalls will allow to
> > pass.
> > That may be the issue.
> > Feel free to brutally correct me if I'm wrong (which I prob am!)
> > Happy Hunting
> Another question about that... as i'am doing dnat (external IP:80 --> internal
> IP:80)... why is snort only reporting a portscan to my internal webserver? and
> for example not to my dns server as a second host also ? (which runs on a
> different machine in my internal network)

Your snort.conf is probably configured to ignore "portscans" from your DNS
servers as they generate alot of false-positives (usually through the DNS_SERVERS

variable).



> And thats strange either:
>
> Apr 5 15:51:44 195.186.255.2:3619 -> y.y.y.y:45445 SYN ******S*
> Apr 5 15:51:45 195.186.255.2:3620 -> y.y.y.y:45446 SYN ******S*
> Apr 5 15:51:46 195.186.255.2:3621 -> y.y.y.y:45448 SYN ******S*
> Apr 5 15:52:08 195.186.255.2:3630 -> y.y.y.y:80 SYN ******S*
>
> first all those 45445 and so on destination ports were scanned, and at the end
> it "jumps" five times to port 80 ?

That could be an attacker peculiarity rather than a Snort oddity.

To draw any accurate conclusion you need to know what packets really got sent to
Snort, before you can say Snort did not process them correctly.



HIH,

Chris.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users