RE: Portscan 2 question

["Brian F. Vaughan" <bvaughan () wgen net>]

Have you performed an nslookup on the dst ip. It is an ISP that may have a user hosting a game server or something as 
it is going to a high-numbered UDP port. Should also check the internal machine that is the src to make sure there 
isn't a virus or some backdoor program sending info back to the dst ip.

Brian Vaughan
IT Administrator



-----Original Message-----
From: Soren Macbeth [mailto:smacbeth () atc-nycorp com]
Sent: Thursday, October 24, 2002 2:33 PM
To: 'Joe Giles'; Soren Macbeth
Cc: Snort-List
Subject: RE: [Snort-users] Portscan 2 question


I'm not sure about the udp dport 27160 stuff. Are you running some
application on that port? Its all traffic to on particular host. You may
want to check into that.

The second one is definitely benign web browsing.

//soren


-----Original Message-----
From: Joe Giles [mailto:jgiles () joeman1 com] 
Sent: Thursday, October 24, 2002 2:26 PM
To: Soren Macbeth
Cc: Snort-List
Subject: RE: [Snort-users] Portscan 2 question

Here is what I found in that scan.log file for the 2 dest IP's... 

Instance 1>
10/17-14:29:25.712618  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525
10/18-12:05:07.946026  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1641 dport: 27160 tgts: 9 ports: 130 event_id: 400
10/18-13:22:24.504843  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
2804 dport: 27160 tgts: 8 ports: 121 event_id: 433
10/18-13:33:27.113376  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
3782 dport: 27160 tgts: 9 ports: 139 event_id: 450
10/18-13:36:00.675879  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
4825 dport: 27160 tgts: 10 ports: 158 event_id: 458
10/18-14:52:00.545930  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021
10/18-19:04:12.292185  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161
10/19-12:38:43.719170  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417
10/19-19:16:04.828533  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585
10/19-19:41:53.321697  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600
10/19-21:13:32.829862  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639
10/22-14:51:35.899289  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
33952 dport: 27160 tgts: 3 ports: 21 event_id: 0

Instance 2>
10/23-11:17:52.681476  TCP src: <INTERNALIP> dst: 206.65.183.110 sport:
1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0

What do you think?

Thanks

Joe


On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
> Looks at the ports that portscan2 reported. Sometime clients browsing
> websites cause portscan2 to trigger based on the fact that some browsers
> initiate a new connection (and thus, new port) for each image. If you
> haven't change the config, there should be a scan.log file in your snort
log
> directory which will have more info.
>
> //soren 
>
> -----Original Message-----
> From: Joe Giles [mailto:jgiles () joeman1 com] 
> Sent: Thursday, October 24, 2002 1:23 PM
> To: Snort-List
> Subject: [Snort-users] Portscan 2 question
>
> I have a weird problem with 2 entries in my ACID database. Apparently,
> my server did a port scan on a remote machine. The problem is that no
> one here initiated a port scan. The database lists my server IP as the
> source and lists a dest IP. This is listed as a spp_portscan2. Does the
> new snort scan other machines on the Internet? I don't want any issues
> with other services because they think I'm port scanning their network.
>
> Thanks
>
> Joe
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future 
> of Java(TM) technology. Join the Java Community 
> Process(SM) (JCP(SM)) program now. 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future 
> of Java(TM) technology. Join the Java Community 
> Process(SM) (JCP(SM)) program now. 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users