Re: Re: Snort Logs [HITCON VIRUS CHECK: OK]

[Maik.Linnemann () hitcon de]

Thats absolutely right, but now I found out that or rather i forget that i
have a squid proxy on one location which is used by the whole domain. the
start site of the users computer is the one on my webserver. so whenever
someone open its browser the squid attempts a connection to my webserver.
if a lot of users open their browser it might be what you told in your
mail!? but what i dont understand is: look at these two log files:


atum: 06/03 11:46:02 Name: (spp_portscan2) Portscan detected from
195.202.xx.xx: 1 targets 21 ports in 46 seconds
Priorität: n/a Typ: n/a
IP-Info: 195.202.xx.xx:80 -> 217.95.238.230:33551
Referenz: nichts gefunden SID: n/a

in this one above the adress of my webserver:80 scans to an adress:33551
SOMEWHERE........why?
and in this one:
my webserver:80 scans to MY netadress:35015 - this could be the proxy
problem!?

Datum: 06/03 11:56:05 Name: (spp_portscan2) Portscan detected from
195.202.xx.xx: 2 targets 21 ports in 14 seconds
Priorität: n/a Typ: n/a
IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:35015
Referenz: nichts gefunden SID: n/a

i am really confused!!!






                                                                       
             "Miner, Jonathan                                          
             W (CSC) (US SSA)"                                         
             <jonathan.w.miner                                          An
             @baesystems.com>           <Maik.Linnemann () hitcon de>,    
                                        <snort-users () lists sourceforge net
             03.06.2004 14:00           >                              
                                                                     Kopie
                                                                       
                                                                     Thema
                                        RE: [Snort-users] Snort Logs   
                                        [HITCON VIRUS CHECK: OK]       
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       
                                                                       




That is pretty typical of a webserver.  A client browser will open multiple
connections to the server, purhaps to download many images concurrently.
Snort will then see the server sending data back to multiple ports on the
client. This can trigger the port scan mechanism.


-----Original Message-----
From:        snort-users-admin () lists sourceforge net on behalf of
Maik.Linnemann () hitcon de
Sent:        Thu 06/03/2004 06:37 AM
To:          snort-users () lists sourceforge net
Cc:
Subject:           [Snort-users] Snort Logs [HITCON VIRUS CHECK: OK]




Today i checked my logfiles and found real strange things in my IDS logs -
i found this:

Datum: 05/24 08:41:30 Name: (spp_portscan2) Portscan detected from
195.202.xx.xx: 1 targets 21 ports in 57 seconds
Priorität: n/a Typ: n/a
IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:60847
Referenz: nichts gefunden SID: n/a

Datum: 05/24 09:10:04 Name: (spp_portscan2) Portscan detected from
195.202.xx.xx: 1 targets 21 ports in 2 seconds
Priorität: n/a Typ: n/a
IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:33149
Referenz: nichts gefunden SID: n/a

Datum: 05/24 09:11:22 Name: (spp_portscan2) Portscan detected from
195.202.xx.xx: 1 targets 21 ports in 18 seconds
Priorität: n/a Typ: n/a
IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:33281
Referenz: nichts gefunden SID: n/a

First of all: both of the adresses belong to me!!!!! The one out of port 80
is my mail server and a webserver is also running on that machine. the
other one (targeted on 33281) is also mine on a second location.... they're
connected via VPN......but as you see, they use the external ip adresses,
so i guess it doesnt come from the inside of my nets...
im really not so deep into snort, so if anyone could explain a little bit
what it could be - that would be great!!!!

what shall i do now? i havent done a port scan!???? What do you think?

HITCON AG
Maik Linnemann
Gartenstrasse 208
48147 Münster
0251/2801-206 (Phone)
0251/2801-280 (Fax)
0170/6364123 (Mobil)
Mail: info () hitcon de
http://www.hitcon.de



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






HITCON AG
Maik Linnemann
Gartenstrasse 208
48147 Münster
0251/2801-206 (Phone)
0251/2801-280 (Fax)
0170/6364123 (Mobil)
Mail: info () hitcon de
http://www.hitcon.de



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
> From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users