Snort mailing list archives

Re: 17203 portscan alerts in 23 hours from same IP

From: Jon Quiros <sysadmin () ncemch org>
Date: 10 Jul 2002 17:06:06 -0400

Thanks for the reply.  It started up again at 2:30 and continues, now scanning lower ports (i've got about 19,000 
events now). 
The user of this computer has been away from her desk since about 11am this morning so I'm really doubting it's her end 
that's triggering it.  No adware, no open web browser.

here's another snippet of the portscan log:
==
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1544 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1545 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1484 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1485 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1493 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1489 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1498 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1504 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1502 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1514 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1507 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1517 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1523 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1524 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1527 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1526 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1531 INVALIDACK ***A*R*F 
Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1530 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1532 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1533 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1538 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1539 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1544 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1540 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1545 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1485 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1484 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1489 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1493 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1498 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1502 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1504 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1507 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1514 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1517 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1523 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1524 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1527 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1526 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1531 INVALIDACK ***A*R*F 
Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1530 INVALIDACK ***A*R*F 
===
 
Jon Quirós
Network/Systems Administrator
National Center for Education in Maternal and Child Health
Georgetown University
2000 15th St N, Suite 701
Arlington, Va 22201
Ph:  (703)524-7802
Fax: (703)524-9335


On Wednesday, July 10, 2002 4:37 PM, Matt Kettler <mkettler () evi-inc com> wrote:

Perhaps the citibank webpage has a gif-image which reloads at regular 
intervals? In that case all she'd need to do is leave the browser open, and 
those kinds of reloading images are pretty common.

It strikes me as highly absurd to consider reset/fin packets coming from 
port 80 on a valid webserver to be a portscan of any sort. Sure webservers 
get knocked over and used to attack others sometimes, but very rarely do 
those scans originate from port 80 (since they'd have to shut the webserver 
down) and rarely do they consist of ARF ("close connection and stop talking 
to me, don't even acknowledge the close") type packets at regular intervals 
to normal client ports. ARF isn't exactly a very useful combination of 
flags for portscanning AFAIK.


I think the appropriate question to ask here is "why was my user's machine 
trying to contact citibank's website so frequently" rather than "why was 
citibank scanning me", and I think the answer is that someone had a couple 
of pages with self-refreshing images open and left the browser
running.


At 02:54 PM 7/10/2002 -0400, Jon Quiros wrote:

someone that replied off-list wrote this:

"Looks to me like your source and dest IPs are showing up backwards. It is 
not a scan, but merely the random source port 1024 incrementing with each 
connection. Your end user must be doing a lot of on-line banking with 
Citibank I would say."

This would make perfect sense to me, except i can't envision her staying 
over night doing online banking stuff, or any program running in the 
bkgrnd following the same pattern over and over again

Jon Q




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- RE: 17203 portscan alerts in 23 hours from same IP Ashley Thomas (Jul 10)
  - Re: 17203 portscan alerts in 23 hours from same IP Jeff Taylor (Jul 10)
- <Possible follow-ups>
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
  - Re: 17203 portscan alerts in 23 hours from same IP Matt Kettler (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
  - Re: 17203 portscan alerts in 23 hours from same IP Matt Kettler (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)