Snort mailing list archives

Re: am i scanning other ip's?

From: James Hoagland <hoagland () SiliconDefense com>
Date: Mon, 9 Dec 2002 13:00:18 -0500

Alfredo,

At 10:36 AM +0100 12/9/02, Alfredo D wrote:

hi. First of all excuse my english
i'm new to snort, but i installed a Mandrake Firewall that uses it,and looking in logs i found this in portscan.log
it seems like my computer is doing portscans to other ip's. right?
what is SYN ******S*?
the ports 61XXX?
i installed the computer two days ago. is being hacked?

What you show here looks like normal web surfing to me; port 80traffic mixed with UDP DNS traffic. Timing seems about right. Oneof the IPs listed resolves to Google even.


It looks like you need to turn down the sensitivity of the portscan detector.

Kind regards,

  Jim

Jan 1 10:05:18 [my own ip]:61591 -> 216.239.39.101:80 SYN ******S*
Jan 1 10:05:20 [my own ip]:61593 -> 66.35.229.200:80 SYN ******S*
Jan 1 10:05:40 [my own ip]:61594 -> 64.70.54.43:80 SYN ******S*
Jan 1 10:05:44 [my own ip]:61596 -> 216.239.39.101:80 SYN ******S*
Jan 1 10:05:47 [my own ip]:61597 -> [isp dns]:53 UDP
Jan 1 10:05:48 [my own ip]:61598 -> [isp dns]:53 UDP
Jan 1 10:05:48 [my own ip]:61597 -> [isp dns]:53 UDP
Jan 1 10:05:48 [my own ip]:61599 -> 64.152.64.67:80 SYN ******S*
Jan 1 10:05:59 [my own ip]:61600 -> 216.239.39.101:80 SYN ******S*
Jan 1 10:06:00 [my own ip]:61601 -> 64.152.64.67:80 SYN ******S*
Jan 1 10:06:10 [my own ip]:61602 -> 216.239.39.101:80 SYN ******S*
Jan 1 10:06:17 [my own ip]:61603 -> [isp dns]:53 UDP
Jan 1 10:06:18 [my own ip]:61603 -> [isp dns]:53 UDP
Jan 1 10:06:19 [my own ip]:61604 -> [isp dns]:53 UDP
Jan 1 10:06:19 [my own ip]:61603 -> [isp dns]:53 UDP
Jan 1 10:06:20 [my own ip]:61606 -> 63.209.80.228:80 SYN ******S*
Jan 1 10:06:23 [my own ip]:61607 -> 63.209.80.244:80 SYN ******S*
Jan 1 10:06:23 [my own ip]:61608 -> 63.209.80.244:80 SYN ******S*
Jan 1 10:06:23 [my own ip]:61609 -> 63.209.80.229:80 SYN ******S*



--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

am i scanning other ip's? Alfredo D (Dec 09)
- Re: am i scanning other ip's? Adrian Peters (Dec 09)
- Re: am i scanning other ip's? James Hoagland (Dec 09)
- Re: am i scanning other ip's? Matt Kettler (Dec 09)