Snort mailing list archives
Lots of outgoing portscans
From: Richard Gaywood <rich () fscked co uk>
Date: Wed, 22 Oct 2003 08:28:49 +0100
Hello list! Please forgive me posting without lurking first but I'm slightly panicked about this. I have lots and lots of outgoing portscans in my snort logs. Googling around has suggested they are probably a false positive, related to opening webpages or DNS or the like; however, I'm worried about these because they are addressed to lots of closely-related IPs on port 7, none of which seem to have a reverse DNS entry. Here's all the portscans out of my current log: arawn:/var/log/snort# grep -A 1 Portscan alert | grep -E ">" 10/22-06:26:10.351367 10.0.1.1:41700 -> 66.151.150.23:7 10/22-06:27:11.250670 10.0.1.1:41717 -> 66.151.150.23:7 10/22-06:33:05.680585 10.0.1.1:41748 -> 195.8.69.184:110 10/22-06:39:04.657120 10.0.1.1:41775 -> 195.8.69.217:110 10/22-06:56:45.040775 10.0.1.1:60127 -> 62.24.228.9:53 10/22-07:00:03.385067 10.0.1.1:800 -> 10.0.2.1:2049 10/22-07:06:10.873928 10.0.1.1:41893 -> 66.151.150.23:7 10/22-07:08:41.380060 10.0.1.1:41912 -> 66.151.150.25:7 10/22-07:14:36.747681 10.0.1.1:41963 -> 66.151.150.17:7 10/22-07:20:39.484445 10.0.1.1:42013 -> 212.159.10.1:110 10/22-07:21:50.369177 10.0.1.1:42028 -> 66.151.150.16:7 10/22-07:26:24.121002 10.0.1.1:42043 -> 66.151.150.25:7 10/22-07:38:13.784414 10.0.1.1:42106 -> 66.151.150.25:7 10/22-07:44:09.269896 10.0.1.1:42138 -> 66.151.150.31:7 10/22-07:50:02.058749 10.0.1.1:42181 -> 66.151.150.23:7 10/22-07:55:57.510212 10.0.1.1:42211 -> 66.151.150.31:7 10/22-08:00:08.139381 10.0.1.1:42242 -> 65.54.228.253:443 10/22-08:01:55.349904 10.0.1.1:42262 -> 66.151.150.31:7 10/22-08:02:27.344184 10.0.1.1:42299 -> 66.151.150.31:7 10/22-08:07:49.892392 10.0.1.1:42323 -> 66.151.150.25:7 10/22-08:09:08.090418 10.0.1.1:42379 -> 194.109.137.218:80 10/22-08:10:42.448357 10.0.1.1:42379 -> 194.109.137.218:80 10/22-08:13:49.046051 10.0.1.1:42402 -> 66.151.150.31:7 10/22-08:15:58.498816 10.0.1.1:42445 -> 208.185.25.38:21 The machine is a web and email server, and no web browsing happens off it, nor does it have a web cache. It does act as a DNS proxy for my network so perhaps that is the explanation, but all that port 7 activity looks rather dodgy to me. Anyone offer me a benign explanation before I have to take the server offline? -- Richard Gaywood <rich () fscked co uk> ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Lots of outgoing portscans Richard Gaywood (Oct 22)
- Re: Lots of outgoing portscans Richard Gaywood (Oct 22)
- Re: Lots of outgoing portscans Matt Kettler (Oct 22)