Snort mailing list archives

Re: am i scanning other ip's?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 09 Dec 2002 14:04:14 -0500

No, you just have your HOME_NET set as any and the portscan processor isacting accordingly. IF you want to use HOME_NET as any, do not use HOME_NETin your portscan preprocessor line in snort.conf. You'll False Positivelike mad.



All the port 80 traffic is you connecting to websites
all the port 53 traffic is you performing DNS lookups.

This is the line of snort.conf that is hurting you:

preprocessor portscan: $HOME_NET 4 3 portscan.log

So any time any machine connects to any more than 4 machines in HOME_NETwithin 3 seconds, the portscan processor goes off.

Of course, if you're looking at your outbound traffic, it's very easy foryour home machine to connect to 4 external machines in 3 seconds.. infact.. it's normal.


At 10:36 AM 12/9/2002 +0100, you wrote:



hi. First of all excuse my english

i'm new to snort, but i installed a Mandrake Firewall that uses it, andlooking in logs i found this in portscan.log

it seems like my computer is doing portscans to other ip's. right?
what is SYN ******S*?
the ports 61XXX?
i installed the computer two days ago. is being hacked?

Jan 1 10:05:18 [my own ip]:61591 -> 216.239.39.101:80 SYN ******S*
Jan 1 10:05:20 [my own ip]:61593 -> 66.35.229.200:80 SYN ******S*
Jan 1 10:05:40 [my own ip]:61594 -> 64.70.54.43:80 SYN ******S*
Jan 1 10:05:44 [my own ip]:61596 -> 216.239.39.101:80 SYN ******S*
Jan 1 10:05:47 [my own ip]:61597 -> [isp dns]:53 UDP
Jan 1 10:05:48 [my own ip]:61598 -> [isp dns]:53 UDP
Jan 1 10:05:48 [my own ip]:61597 -> [isp dns]:53 UDP
Jan 1 10:05:48 [my own ip]:61599 -> 64.152.64.67:80 SYN ******S*
Jan 1 10:05:59 [my own ip]:61600 -> 216.239.39.101:80 SYN ******S*
Jan 1 10:06:00 [my own ip]:61601 -> 64.152.64.67:80 SYN ******S*
Jan 1 10:06:10 [my own ip]:61602 -> 216.239.39.101:80 SYN ******S*
Jan 1 10:06:17 [my own ip]:61603 -> [isp dns]:53 UDP
Jan 1 10:06:18 [my own ip]:61603 -> [isp dns]:53 UDP
Jan 1 10:06:19 [my own ip]:61604 -> [isp dns]:53 UDP
Jan 1 10:06:19 [my own ip]:61603 -> [isp dns]:53 UDP
Jan 1 10:06:20 [my own ip]:61606 -> 63.209.80.228:80 SYN ******S*
Jan 1 10:06:23 [my own ip]:61607 -> 63.209.80.244:80 SYN ******S*
Jan 1 10:06:23 [my own ip]:61608 -> 63.209.80.244:80 SYN ******S*
Jan 1 10:06:23 [my own ip]:61609 -> 63.209.80.229:80 SYN ******S*




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

am i scanning other ip's? Alfredo D (Dec 09)
- Re: am i scanning other ip's? Adrian Peters (Dec 09)
- Re: am i scanning other ip's? James Hoagland (Dec 09)
- Re: am i scanning other ip's? Matt Kettler (Dec 09)