Snort mailing list archives
RE: Portscan 2 question
From: Joe Giles <jgiles () joeman1 com>
Date: 24 Oct 2002 12:51:31 -0600
Well, I do use AIM. I also have a Game server running on port 27016 and 27017. If this is normal TCP/UDP communication, I'm OK with that. I was just concerned that someone hacked me and was using my machine as a proxy to attack other machines(Or at least scan other machines). But I cant see any evidence of that. I have checked the logs, bash_history of my few users, and a neat tool called last. I also ran a root kit check. So, at this point, I'm pretty sure that it is just normal traffic. Just threw me off guard cause I have never seen this before in ACID... Thanks Joe On Thu, 2002-10-24 at 12:38, Hicks, John wrote:
Instance #2 is what I was assuming your issue to be. Instance #1 imho needs more correlation, but given UDP and the destination port being the same, i'd assume maybe IM? John -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Thursday, October 24, 2002 2:26 PM To: Soren Macbeth Cc: Snort-List Subject: RE: [Snort-users] Portscan 2 question Here is what I found in that scan.log file for the 2 dest IP's... Instance 1> 10/17-14:29:25.712618 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525 10/18-12:05:07.946026 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1641 dport: 27160 tgts: 9 ports: 130 event_id: 400 10/18-13:22:24.504843 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 2804 dport: 27160 tgts: 8 ports: 121 event_id: 433 10/18-13:33:27.113376 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 3782 dport: 27160 tgts: 9 ports: 139 event_id: 450 10/18-13:36:00.675879 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 4825 dport: 27160 tgts: 10 ports: 158 event_id: 458 10/18-14:52:00.545930 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021 10/18-19:04:12.292185 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161 10/19-12:38:43.719170 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417 10/19-19:16:04.828533 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585 10/19-19:41:53.321697 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600 10/19-21:13:32.829862 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639 10/22-14:51:35.899289 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33952 dport: 27160 tgts: 3 ports: 21 event_id: 0 Instance 2> 10/23-11:17:52.681476 TCP src: <INTERNALIP> dst: 206.65.183.110 sport: 1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0 What do you think? Thanks Joe On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:Looks at the ports that portscan2 reported. Sometime clients browsing websites cause portscan2 to trigger based on the fact that some browsers initiate a new connection (and thus, new port) for each image. If you haven't change the config, there should be a scan.log file in your snortlogdirectory which will have more info. //soren -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. Thanks Joe ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Portscan 2 question, (continued)
- Re: Portscan 2 question Robby Desmond (Oct 24)
- Re: Portscan 2 question Joe Giles (Oct 24)
- Re: Portscan 2 question Joe Giles (Oct 24)
- Re: Portscan 2 question Gary Verhulp (Oct 24)
- Message not available
- Re: Portscan 2 question Joe Giles (Oct 24)
- Re: Portscan 2 question Robby Desmond (Oct 24)
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Soren Macbeth (Oct 24)
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Soren Macbeth (Oct 24)
- RE: Portscan 2 question Hicks, John (Oct 24)
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Brian F. Vaughan (Oct 24)