Snort mailing list archives
Re: Web servers scanning clients!!!
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 26 Dec 2002 22:32:16 -0500
Ahh, so sorry, I interpreted you as asking intently about target_limit, not targets_max.. Which would, really, not matter :)
In any event both scanners_max, and targets_max are at least one order of magnitude greater than the total number of used IPs inside this network. (ie: there's less than 320 active systems/appliances with IP addresses here).
Even during quiescent hours when nobody else is here I can make the alerts fire. Like right now.. yes, there are a couple of servers here, including a DNS server, running amok, but the network is relatively quiet at the moment and I'm the only human at a computer or making any client systems do much. A short run of tcpdump on the snort box showed 52 packets in 19.5 seconds (while I was not browsing the web)
[**] [117:1:1] (spp_portscan2) Portscan detected from 205.206.231.13: 1 targets 61 ports in 7 seconds [**]
12/26-22:31:34.021685 205.206.231.13:80 -> xx.xx.xx.xx:1321 TCP TTL:45 TOS:0x0 ID:8401 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0x685A5A64 Ack: 0xAA737BF0 Win: 0x7E24 TcpLen: 28 TCP Options (4) => MSS: 1404 NOP NOP SackOKFor this simple example I went to http://www.securityfocus.com/ in mozilla (1.2.1, win32), waited 30 seconds for the original connections to time-out (I have a 20 sec timeout set for portscan2), and did a shift-reload twice. Poof, instant alert from 61 connections in a mere 2 page loads. Given that the default is 20, I suspect one load would trigger that level.
At 10:10 PM 12/26/2002 -0500, Jason wrote:
Matt Kettler wrote:No, this is a port_limit exceeded issue, not a nubmer of targets issue. It doesn't matter how many machines are on my lan, or if the number of them is greater than targets_max. The number of targets in the alert is 1 :)Are you absolutely sure :-)I understand the situation completely. Questions are sometimes intended to get information as much as they are intended to get a thought rolling.[snip rest]
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Web servers scanning clients!!! Farzin (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Alberto Gonzalez (Dec 26)