RE: TCP Portsweep and TCP Portscan

["Bob Konigsberg" <bobkberg () networkeval com>]

TCP Portsweep is probably a reference to the nmap security scanner or
similar tool.

If I were in your position, I'd track down the owner/user of the machine in
question and find out what he or she is doing and why.  A conversation like
that is bound to be illuminating on many fronts.

If the user in question has no knowledge of that activity, then I'd want to
do some serious investigating of the machine in question, and on the network
to find out what MAC address is associated with this.

I realize that my answer is at somewhat of a tangent to your question, but
my approach has yielded so much more information over the long run than
simply obtaining the direct technical answer you were originally looking
for.

A persistent sense of curiousity is going to be one of your best allies
here.

Oh - semi-funny story - When I was with one large midwestern company, and I
saw signs of IRC traffic on the firewall logs, I'd track down the user of
the machine and ask them if they were using IRC.  Better than 9 times out of
10 the answer was "What's IRC?"  It was almost always a worm or trojan of
some kind.

Bob


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ashgate
Publishing Information Technology
Sent: Thursday, December 16, 2004 8:24 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] TCP Portsweep and TCP Portscan

Hi,

I'm new to snort.  I have sensors setup on both the WAN side and the LAN
side of my network.  I'm seeing many, many alerts that are triggered on both
sensors. They are:

[**] [122:3:0] (portscan) TCP Portsweep [**]

and

[**] [122:1:0] (portscan) TCP Portscan [**]

The source is always a local workstation, and a large number of these are
coming from one workstation and the destination host is usually in the
yahoo.com domain.  I have also seen this alert when users visit ebay.

Can anyone provide any insight on what this is?  I'm relatively new to IDS
so I'd appreciate some pointers.

Thanks,

Nick




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users