Snort mailing list archives
Re: am i scanning other ip's?
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 09 Dec 2002 14:04:14 -0500
No, you just have your HOME_NET set as any and the portscan processor is acting accordingly. IF you want to use HOME_NET as any, do not use HOME_NET in your portscan preprocessor line in snort.conf. You'll False Positive like mad.
All the port 80 traffic is you connecting to websites all the port 53 traffic is you performing DNS lookups. This is the line of snort.conf that is hurting you: preprocessor portscan: $HOME_NET 4 3 portscan.logSo any time any machine connects to any more than 4 machines in HOME_NET within 3 seconds, the portscan processor goes off.
Of course, if you're looking at your outbound traffic, it's very easy for your home machine to connect to 4 external machines in 3 seconds.. in fact.. it's normal.
At 10:36 AM 12/9/2002 +0100, you wrote:
hi. First of all excuse my englishi'm new to snort, but i installed a Mandrake Firewall that uses it, and looking in logs i found this in portscan.logit seems like my computer is doing portscans to other ip's. right? what is SYN ******S*? the ports 61XXX? i installed the computer two days ago. is being hacked? Jan 1 10:05:18 [my own ip]:61591 -> 216.239.39.101:80 SYN ******S* Jan 1 10:05:20 [my own ip]:61593 -> 66.35.229.200:80 SYN ******S* Jan 1 10:05:40 [my own ip]:61594 -> 64.70.54.43:80 SYN ******S* Jan 1 10:05:44 [my own ip]:61596 -> 216.239.39.101:80 SYN ******S* Jan 1 10:05:47 [my own ip]:61597 -> [isp dns]:53 UDP Jan 1 10:05:48 [my own ip]:61598 -> [isp dns]:53 UDP Jan 1 10:05:48 [my own ip]:61597 -> [isp dns]:53 UDP Jan 1 10:05:48 [my own ip]:61599 -> 64.152.64.67:80 SYN ******S* Jan 1 10:05:59 [my own ip]:61600 -> 216.239.39.101:80 SYN ******S* Jan 1 10:06:00 [my own ip]:61601 -> 64.152.64.67:80 SYN ******S* Jan 1 10:06:10 [my own ip]:61602 -> 216.239.39.101:80 SYN ******S* Jan 1 10:06:17 [my own ip]:61603 -> [isp dns]:53 UDP Jan 1 10:06:18 [my own ip]:61603 -> [isp dns]:53 UDP Jan 1 10:06:19 [my own ip]:61604 -> [isp dns]:53 UDP Jan 1 10:06:19 [my own ip]:61603 -> [isp dns]:53 UDP Jan 1 10:06:20 [my own ip]:61606 -> 63.209.80.228:80 SYN ******S* Jan 1 10:06:23 [my own ip]:61607 -> 63.209.80.244:80 SYN ******S* Jan 1 10:06:23 [my own ip]:61608 -> 63.209.80.244:80 SYN ******S* Jan 1 10:06:23 [my own ip]:61609 -> 63.209.80.229:80 SYN ******S*
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- am i scanning other ip's? Alfredo D (Dec 09)
- Re: am i scanning other ip's? Adrian Peters (Dec 09)
- Re: am i scanning other ip's? James Hoagland (Dec 09)
- Re: am i scanning other ip's? Matt Kettler (Dec 09)