Snort mailing list archives
STEALTH ACTIVITY (NULL scan) ???
From: "Ing. Daniel Manrique" <roadmr () entropia com mx>
Date: Wed, 24 Apr 2002 12:16:47 -0500 (CDT)
Hey! I'm seeing some strange activity on my network and would greatly appreciate help in deciphering what it is. I started using snort about 2 weeks ago, and I've observed the following strange activity a few times since then: 04/23-23:54:46.882291 [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 90.52.129.113:57321 -> 200.254.252.57:27907 04/23-23:54:46.882291 [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 153.141.187.122:57833 -> 200.254.252.57:59152 04/23-23:54:46.882291 [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 198.73.154.16:58345 -> 200.254.252.57:19667 04/23-23:54:46.882291 [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 51.104.227.88:58601 -> 200.223.171.4:21762 04/23-23:54:46.882291 [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL scan) detection [**] {TCP} 213.237.10.72:59113 -> 200.223.171.4:53374 At random times during the day, I start seeing LOTS of these (1-2 million of these in a 5 minute period). Then it stops all of a sudden. This activity of course fills up my logs (processing a 1-gb logfile is no fun) and saturates both my backbone LAN and my outgoing internet connection. What's interesting is that neither one of the IP addresses reported by snort is in my class-C network; furthermore, the destination address (the one after the ->) is always the same (or one of two repeating addresses, like in the example); and interestingly, they're all located in brazil. My initial suspicion is that one of the hosts on our network was compromised by brazilian crackers. However, since the strange activity presents no evidence to support this fact, and I don't own the server in question, it's a bit hard to tell the owner their server is compromised. I have even pinpointed the offending server by unplugging its network cable and observing the strange activity stops. Still, I'd like to find something in my logs or packet dumps that indicates the server in question is involved in these events. This would make it easy to confront the server's owner with hard evidence and ask him to either solve the problem or face disconnection (heheh). Also, and a bit off-topic, my gateway router is a Cisco 3620 with IOS 11.2, and I'd like to add filtering rules to drop packets not coming to, or originating from, my class-C network. Logic dictates that, as in this case, packets with both origin and destination addresses in foreign networks wouldn't make it past the router, thus avoiding the saturation I'm seeing. So, if anyone knows what this kind of activity means, and/or how to implement the routing filter I mention, I'd be really really grateful :) thanks for any help you can provide! - Roadmaster _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- STEALTH ACTIVITY (NULL scan) ??? Ing. Daniel Manrique (Apr 24)
- <Possible follow-ups>
- RE: STEALTH ACTIVITY (NULL scan) ??? McCammon, Keith (Apr 24)