Snort mailing list archives
RE: TCP Portsweep and TCP Portscan
From: "Bob Konigsberg" <bobkberg () networkeval com>
Date: Thu, 16 Dec 2004 08:34:04 -0800
TCP Portsweep is probably a reference to the nmap security scanner or similar tool. If I were in your position, I'd track down the owner/user of the machine in question and find out what he or she is doing and why. A conversation like that is bound to be illuminating on many fronts. If the user in question has no knowledge of that activity, then I'd want to do some serious investigating of the machine in question, and on the network to find out what MAC address is associated with this. I realize that my answer is at somewhat of a tangent to your question, but my approach has yielded so much more information over the long run than simply obtaining the direct technical answer you were originally looking for. A persistent sense of curiousity is going to be one of your best allies here. Oh - semi-funny story - When I was with one large midwestern company, and I saw signs of IRC traffic on the firewall logs, I'd track down the user of the machine and ask them if they were using IRC. Better than 9 times out of 10 the answer was "What's IRC?" It was almost always a worm or trojan of some kind. Bob -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ashgate Publishing Information Technology Sent: Thursday, December 16, 2004 8:24 AM To: snort-users () lists sourceforge net Subject: [Snort-users] TCP Portsweep and TCP Portscan Hi, I'm new to snort. I have sensors setup on both the WAN side and the LAN side of my network. I'm seeing many, many alerts that are triggered on both sensors. They are: [**] [122:3:0] (portscan) TCP Portsweep [**] and [**] [122:1:0] (portscan) TCP Portscan [**] The source is always a local workstation, and a large number of these are coming from one workstation and the destination host is usually in the yahoo.com domain. I have also seen this alert when users visit ebay. Can anyone provide any insight on what this is? I'm relatively new to IDS so I'd appreciate some pointers. Thanks, Nick ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Portsweep and TCP Portscan Ashgate Publishing Information Technology (Dec 16)
- RE: TCP Portsweep and TCP Portscan Bob Konigsberg (Dec 16)