Snort mailing list archives

Re: Web servers scanning clients!!!

From: Jason <security () brvenik com>
Date: Thu, 26 Dec 2002 20:17:47 -0500

Curious,

what is your config like?

specifically,

targets_max
target_limit
port_limit

is it a case where you have more hosts on your net than targets_max isset to?


Jason

Matt Kettler wrote:

Actually, note that those are ack-syn packets from their port 80 toports in the "client" range on your system.


You're the one "scanning" them.

In this case your web browser is rapidly opening connections to downloada large number of small images in the page. Each successive connectiongets a different source-port on your side, and the responses look like aportscan to the portscan2 preprocessor.

I too have this problem with portscan2 since I enabled it. It seems thatsome awareness of the outbound syn packets from your home_net should bepresent to keep this from false-alerting, but it doesn't seem to bepresent in snort 1.9.0. (this could also be a config bug on my part, andFarzin's too)

Is this a known-bug or is there some way to tell the portscan2preprocessor how to properly understand large bursts of outbound clientconnections from HOME_NET?




At 04:15 PM 12/26/2002 -0800, Farzin wrote:

Hi All,

Looking at my snort logs, I see that when a user
access some sites such as
http://www.nationalenquirer.com (38.144.52.102), the
server turns around and scan about 21 ports on the
client. Does anyone know why this is? below is the
log:

[**] [117:1:1] (spp_portscan2) Portscan detected from
38.144.52.102: 1 targets 21 ports in 2 seconds [**]
12/26-14:31:33.546312 38.144.52.102:80 -> MY.IP:34189
TCP TTL:236 TOS:0x0 ID:5084 IpLen:20 DgmLen:64 DF
***A**S* Seq: 0x4613D2D4  Ack: 0xF07A44E3  Win: 0x2798
 TcpLen: 44
TCP Options (9) => NOP NOP TS: 1229213631 743607218
NOP WS: 0
TCP Options => NOP NOP SackOK MSS: 1460

[**] [117:1:1] (spp_portscan2) Portscan detected from
38.144.52.102: 1 targets 21 ports in 2 seconds [**]
12/26-14:31:59.919274 38.144.52.102:80 -> MY.IP:34227
TCP TTL:236 TOS:0x0 ID:5279 IpLen:20 DgmLen:64 DF
***A**S* Seq: 0x49DDC83A  Ack: 0xF12A7099  Win: 0x2798
 TcpLen: 44
TCP Options (9) => NOP NOP TS: 1229216268 743609855
NOP WS: 0
TCP Options => NOP NOP SackOK MSS: 1460


TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34189 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34191 tgts: 1 ports: 22 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34192 tgts: 1 ports: 23 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34193 tgts: 1 ports: 24 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34194 tgts: 1 ports: 25 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34195 tgts: 1 ports: 26 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34196 tgts: 1 ports: 27 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34197 tgts: 1 ports: 28 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34198 tgts: 1 ports: 29 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34199 tgts: 1 ports: 30 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34200 tgts: 1 ports: 31 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34201 tgts: 1 ports: 32 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34202 tgts: 1 ports: 33 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34203 tgts: 1 ports: 34 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34204 tgts: 1 ports: 35 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34205 tgts: 1 ports: 36 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34206 tgts: 1 ports: 37 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34207 tgts: 1 ports: 38 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34227 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34228 tgts: 1 ports: 22 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34229 tgts: 1 ports: 23 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34230 tgts: 1 ports: 24 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34231 tgts: 1 ports: 25 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34232 tgts: 1 ports: 26 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34233 tgts: 1 ports: 27 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34235 tgts: 1 ports: 28 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34236 tgts: 1 ports: 29 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34237 tgts: 1 ports: 30 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34238 tgts: 1 ports: 31 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34239 tgts: 1 ports: 32 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34240 tgts: 1 ports: 33 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34241 tgts: 1 ports: 34 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34242 tgts: 1 ports: 35 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34243 tgts: 1 ports: 36 flags: ***A**S* event_id: 213

Thanks in advance,


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Web servers scanning clients!!! Farzin (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
  - Re: Web servers scanning clients!!! Jason (Dec 26)
    - Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
    - Re: Web servers scanning clients!!! Jason (Dec 26)
    - Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Alberto Gonzalez (Dec 26)
  - Re: Web servers scanning clients!!! Alberto Gonzalez (Dec 26)