Snort mailing list archives
Re: Snort-users digest, Vol 1 #2408 - 3 msgs
From: "Mike Cole" <Mike.Cole () stanct org>
Date: Thu, 24 Oct 2002 11:46:29 -0700
I'm out of the office until Monday the 28th. If this is a pressing matter, please call me @ 209.569.3910 and I'll do my best to get back to you. Mike
snort-users 10/24/02 11:36 >>>
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-admin () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. Re: Snort-users digest, Vol 1 #2407 - 12 msgs (Mike Cole)
2. RE: Portscan 2 question (Soren Macbeth)
3. Re: Portscan 2 question (Gary Verhulp)
--__--__--
Message: 1
Date: Thu, 24 Oct 2002 11:36:47 -0700
From: "Mike Cole" <Mike.Cole () stanct org>
Reply-To: Mike.Cole () stanct org
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2407 - 12 msgs
I'm out of the office until Monday the 28th. If this is a pressing =
matter, please call me @ 209.569.3910 and I'll do my best to get back to =
you.
Mike
snort-users 10/24/02 11:26 >>>
Send Snort-users mailing list submissions to
snort-users () lists sourceforge net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
snort-users-request () lists sourceforge net
You can reach the person managing the list at
snort-users-admin () lists sourceforge net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."
Today's Topics:
1. RE: UDP packet supposedly DROPped, but seen by snor
t anyway (Matt Yackley)
2. RE: UDP packet supposedly DROPped, but seen by snort anyway (Jan =
Ploski)
3. RE: PROBLEMAS (Kreimendahl, Chad J)
4. Portscan 2 question (Joe Giles)
5. Re: dual inteface? (Bennett Todd)
6. RE: Portscan 2 question (Joe Giles)
7. RE: Portscan 2 question (Soren Macbeth)
8. Re: Portscan 2 question (Joe Giles)
9. Re: Portscan 2 question (Joe Giles)
10. Re: Portscan 2 question (Joe Giles)
11. RE: Portscan 2 question (Joe Giles)
-- __--__--
Message: 1
From: Matt Yackley <Matt.Yackley () perkinswill com>
To: 'Jan Ploski' <jpljpl () gmx de>, snort-users () lists sourceforge net
Subject: RE: [Snort-users] UDP packet supposedly DROPped, but seen by snor
t anyway
Date: Thu, 24 Oct 2002 11:23:35 -0500
Jan, it sounds like you are running Snort on the iptables box, AFAIK =
libpcap
grabs the packet when it hits the NIC, iptables is rejecting the packet =
but
that happens at a higher level than libpcap & snort work at. =20
Others here will expand more but my guess as to why the TCP is not picked =
up
by snort is due to the way the rules are written and the way TCP connection=
s
are handled. Most rules for TCP type connections will require a 3way
handshake to be completed before something like a cmd.exe attempt is sent.
If this type of connection is blocked at the start it never gets to the
point of sending a packet that triggers the rule. This UDP rule will
trigger with the first packet sent since it does not need a 3 way =
handshake
to be completed.
Anyway, that is my quick stab at this, everyone else please feel free to
correct me where I am wrong :)
Matt
-----Original Message-----
From: Jan Ploski [mailto:jpljpl () gmx de]
Sent: Thursday, October 24, 2002 10:23 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] UDP packet supposedly DROPped, but seen by snort
anyway
Hello,
I have the following rule in my Linux iptables configuration:
iptables -A block -m state --state NEW -p udp --dport 161 -j DROP
Basically, I want to ignore any traffic to UDP port 161. This rule
seems to work okay, i.e. it fires when a packet is sent to the said
port and the packet is never received by the process listening on
that port.
However, when I run snort in sniffer mode, I can see the packet
coming. It also triggers an alert (false positive in this case)
according to configured snort rules.
My question is, why can this UDP packet, supposedly already dropped
by the firewall, be sniffed at? This is not the case for any TCP
packets that have been DROPped.
Best regards -
Jan Ploski
-------------------------------------------------------
This sf.net email is sponsored by: Influence the future=20
of Java(TM) technology. Join the Java Community=20
Process(SM) (JCP(SM)) program now.=20
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote=
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
-- __--__--
Message: 2
Date: Thu, 24 Oct 2002 18:41:34 +0200 (CEST)
From: Jan Ploski <jpljpl () gmx de>
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] UDP packet supposedly DROPped, but seen by =
snort anyway
On Thu, Oct 24, 2002 at 11:23:35AM -0500, Matt Yackley wrote:
Jan, it sounds like you are running Snort on the iptables box, AFAIK =
libpcap
grabs the packet when it hits the NIC, iptables is rejecting the packet =
but
that happens at a higher level than libpcap & snort work at. =20 Others here will expand more but my guess as to why the TCP is not =
picked up
by snort is due to the way the rules are written and the way TCP =
connections
are handled. Most rules for TCP type connections will require a 3way handshake to be completed before something like a cmd.exe attempt is =
sent.
If this type of connection is blocked at the start it never gets to the point of sending a packet that triggers the rule. This UDP rule will trigger with the first packet sent since it does not need a 3 way =
handshake
to be completed. =20 Anyway, that is my quick stab at this, everyone else please feel free to correct me where I am wrong :)
Matt, you are entirely correct, and I have also received similiar suggestions from other people on this list via private email (thanks again!). The TCP SYN packet used to establish a connection indeed makes it through to snort, much like the UDP packet. Too bad I did not check this before posting... :-( As someone else suggested: "write a pass rule for it or you can use a bpf filter (not udp port 161) to ignore the traffic". This is indeed a good solution, as I know that port 161 is closed on the monitored box. Best regards - Jan Ploski -- __--__-- Message: 3 Subject: RE: [Snort-users] PROBLEMAS Date: Thu, 24 Oct 2002 11:46:53 -0500 From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> To: "Mario Alberto Soto Cordones" <mario_soto () compuall cl>, <snort-users () lists sourceforge net> You may have to translate this back to spanish, 'cause my answer is gonna be in english. 1. Do you have the database tables set up for postgresql? 2. When snort starts, do you see a connection made to the database? 3. If no: Have you configured in snort.conf "output database postgresql: ....."? -----Original Message----- From: Mario Alberto Soto Cordones [mailto:mario_soto () compuall cl]=3D20 Sent: Thursday, October 24, 2002 1:09 PM To: snort-users () lists sourceforge net Subject: [Snort-users] PROBLEMAS Tengo instalado snort en un RH 8.0, y quiero enviar los logs a una base de=3D20 datos postgresql para que interactue con acid. Mi problema es que no se llena la base de datos con los alert del snort. Ayudenme porfavor. ------------------------------------------------------- This sf.net email is sponsored by: Influence the future=3D20 of Java(TM) technology. Join the Java Community=3D20 Process(SM) (JCP(SM)) program now.=3D20 http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javav ote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3D3Dsnort-users -- __--__-- Message: 4 From: Joe Giles <jgiles () joeman1 com> To: Snort-List <snort-users () lists sourceforge net> Date: 24 Oct 2002 11:22:36 -0600 Subject: [Snort-users] Portscan 2 question I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. Thanks Joe -- __--__-- Message: 5 Date: Thu, 24 Oct 2002 13:28:44 -0400 From: Bennett Todd <bet () rahul net> To: Daniel Curry <dcurry () corio com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] dual inteface? --4zI0WCX1RcnW9Hbu Content-Type: text/plain; charset=3Dus-ascii Content-Disposition: inline 2002-10-24-11:28:04 Daniel Curry:
I had lost the email that gave information on how to configure snort to see two, eth2 and eth3, promicus interfaces on a redhat 7.2 system?
I think you're perhaps talking about this?
---------------------------------------------------------------------------=
---
Version 1.2 --- that promisc is only needed on the bond0 interface
Version 1.1 --- need to explicitly "promisc" on the ifconfigs;
snort's putting the -i bond0 into promisc didn't propogate
back through to the underlying eth interfaces.
---------------------------------------------------------------------------=
---
In Red Hat 7.3, with the default 2.4.18-3 kernel, it's really easy
to bond multiple channels to snort them all. The technique is
documented in /usr/src/linux/Documentation/networking/bonding.txt.
In brief:
grep bond0 /etc/modules.conf || echo alias bond0 bonding >/etc/modu=
les.conf
ifconfig bond0 promisc up
for if in eth1 eth2 ...;do
ifconfig $if up
ifenslave bond0 $if
done
snort ... -i bond0 ...
Works great. The ifenslave invocations whinge a bit about all the
things they can't do with the unnumbered interfaces, but it all
works.
I used 3 Compaq DL-320s for a test setup. Each of these comes with
two eepro100 interfaces; in one I've added a third such interface in
the PCI slot. On each box the eth0 is the mgmt interface (NB when
you add a PCI card eepro100 it becomes eth0 and the two builtin NICs
renumber to eth1 and eth2).
Besides running the eth0 interfaces to a hub, I tied the two eth1s
from the dual-interface traffic generators to the eth1 and eth2
builtins on the 3-interface box, with crossover cables, running
100BaseT. I used the above invocations to get snort cooking with
its default sigs, listening to bond0 with eth1 and eth2 enslaved to
it. Snort sat idle. I fired up a ping -f on one of the generators
and snort jumped up to 25% CPU; then launched ping -f on the
other generator and it jumped to 55%. Each generator was emitting
c. 20,000 packets/second, default ping packet size (64 bytes).
When I next tried tcpreplay[1], all was not as happy, until I
stumbled across the above-mentioned need to promisc the bond0
interface manually as you're ifconfigging it. Actually, what I first
did was ifconfig both the bond0 and the underlying eth# interfaces
promisc; that worked too, but was overkill. When I inquired about
this matter on the bonding-devel mailing list, they explained to me
that flags like promisc _Are_ propogated down to the underlying
interfaces, but only at ifenslave time, not later.
Once I got that, things got lots more better. Do remember when
benchmarking with tcpreplay to make sure to tcpdump -s 0, so you
aren't using captures with truncated packets.
-Bennett
[1] <URL:http://tcpreplay.sf.net/>
--4zI0WCX1RcnW9Hbu
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9uC3MHZWg9mCTffwRAgl4AJwPNKA0sb29K5VdNH1tkjtNeN262gCdEHIT
goT0xSBgTN0XxdUVPXyXAyQ=3D
=3DSRdE
-----END PGP SIGNATURE-----
--4zI0WCX1RcnW9Hbu--
-- __--__--
Message: 6
Subject: RE: [Snort-users] Portscan 2 question
From: Joe Giles <jgiles () joeman1 com>
To: "Hicks, John" <JHicks () JUSTICE GC CA>
Cc: Snort-List <snort-users () lists sourceforge net>
Date: 24 Oct 2002 11:54:41 -0600
Wheew... I though I was hacked or something. I thought some one was
using my server as a proxy to scan other networks :-P
I'm not sure how to alleviate this problem, but maybe the Snort guru's
can figure it out :)
Thanks
Joe
On Thu, 2002-10-24 at 11:46, Hicks, John wrote:
I'm noticing the same thing after instaling 1.9 on a Web Server. It =
seems to
detect my $HOME_NET address replying to multiple web requests on various ephemeral ports as a portscan. any thoughts on how to control this? I =
tried
the ignorehosts to no avail :( =20 John =20 -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question =20 =20 I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. =20 Thanks =20 Joe =20 =20 =20 =20 =20 ------------------------------------------------------- This sf.net email is sponsored by: Influence the future=20 of Java(TM) technology. Join the Java Community=20 Process(SM) (JCP(SM)) program now.=20 http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
-- __--__-- Message: 7 From: Soren Macbeth <smacbeth () atc-nycorp com> To: Snort-List <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Portscan 2 question Date: Thu, 24 Oct 2002 14:02:40 -0400 Looks at the ports that portscan2 reported. Sometime clients browsing websites cause portscan2 to trigger based on the fact that some browsers initiate a new connection (and thus, new port) for each image. If you haven't change the config, there should be a scan.log file in your snort = log directory which will have more info. //soren=20 -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com]=20 Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. Thanks Joe ------------------------------------------------------- This sf.net email is sponsored by: Influence the future=20 of Java(TM) technology. Join the Java Community=20 Process(SM) (JCP(SM)) program now.=20 http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users -- __--__-- Message: 8 Subject: Re: [Snort-users] Portscan 2 question From: Joe Giles <jgiles () joeman1 com> To: Robby Desmond <rdesmond () els ucsb edu> Cc: Snort-List <snort-users () lists sourceforge net> Date: 24 Oct 2002 12:12:44 -0600 Well, I'm not RUNNING a DNS server, but I use one. My ISP's DNS... Should I add that to the list?=20 Also, I don't seem to have the 'lasts' command. What package is that part of? Thanks for the reply Joe On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
At 11:22 AM 10/24/02 -0600, you wrote:I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. Thanks Joe=20 Are you, by chance, running DNS? =20 You should add your DNS servers to the list of portscan2-ignorehosts,=20 otherwise you will get this sort of activity. =20 If you are not running DNS, then check the "lasts" command to see who =
has=20
been on your system. (Or who has been appearing as someone on your =
system.)
=20 -Robby =20 Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906
-- __--__-- Message: 9 Subject: Re: [Snort-users] Portscan 2 question From: Joe Giles <jgiles () joeman1 com> To: Robby Desmond <rdesmond () els ucsb edu> Cc: Snort-List <snort-users () lists sourceforge net> Date: 24 Oct 2002 12:15:54 -0600 I also checked the history files of the 5 users I do have and nothing in there indicates that nmap or nessus or any other scanner was ran. And there was no sudo or su command initiated.=20 Thanks Joe On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
At 11:22 AM 10/24/02 -0600, you wrote:I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. Thanks Joe=20 Are you, by chance, running DNS? =20 You should add your DNS servers to the list of portscan2-ignorehosts,=20 otherwise you will get this sort of activity. =20 If you are not running DNS, then check the "lasts" command to see who =
has=20
been on your system. (Or who has been appearing as someone on your =
system.)
=20 -Robby =20 Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906
-- __--__-- Message: 10 Subject: Re: [Snort-users] Portscan 2 question From: Joe Giles <jgiles () joeman1 com> To: Robby Desmond <rdesmond () els ucsb edu> Cc: Snort-List <snort-users () lists sourceforge net> Date: 24 Oct 2002 12:21:58 -0600 Hay, that is a neat command :).=20 Well, according to last, no one logged on but me during the time of the "Issue".=20 Thanks. I will add my ISP's DNS to the list and see if that helps. This is the first time I have seen this message in ACID since I upgraded to the new snort. That was better than a week ago. Thanks Joe On Thu, 2002-10-24 at 12:16, Robby Desmond wrote:
At 12:12 PM 10/24/02 -0600, you wrote:Well, I'm not RUNNING a DNS server, but I use one. My ISP's DNS... Should I add that to the list?=20 Yes. That will reduce your portscan alerts, but doesn't solve the =
problem=20
of your host causing portscan alerts. =20Also, I don't seem to have the 'lasts' command. What package is that part of?=20 Oops. Make that singular "last". It is a standard UNIX tool. =20Thanks for the reply Joe=20 No prob. =20 You might also want to check to see if any of the services you run =
from=20
your server periodically scan hosts for some reason. =20 HTH, -Robby =20 Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906
-- __--__-- Message: 11 Subject: RE: [Snort-users] Portscan 2 question From: Joe Giles <jgiles () joeman1 com> To: Soren Macbeth <smacbeth () atc-nycorp com> Cc: Snort-List <snort-users () lists sourceforge net> Date: 24 Oct 2002 12:26:18 -0600 Here is what I found in that scan.log file for the 2 dest IP's...=20 Instance 1> 10/17-14:29:25.712618 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525 10/18-12:05:07.946026 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1641 dport: 27160 tgts: 9 ports: 130 event_id: 400 10/18-13:22:24.504843 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 2804 dport: 27160 tgts: 8 ports: 121 event_id: 433 10/18-13:33:27.113376 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 3782 dport: 27160 tgts: 9 ports: 139 event_id: 450 10/18-13:36:00.675879 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 4825 dport: 27160 tgts: 10 ports: 158 event_id: 458 10/18-14:52:00.545930 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021 10/18-19:04:12.292185 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161 10/19-12:38:43.719170 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417 10/19-19:16:04.828533 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585 10/19-19:41:53.321697 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600 10/19-21:13:32.829862 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639 10/22-14:51:35.899289 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33952 dport: 27160 tgts: 3 ports: 21 event_id: 0 Instance 2> 10/23-11:17:52.681476 TCP src: <INTERNALIP> dst: 206.65.183.110 sport: 1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0 What do you think? Thanks Joe On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
Looks at the ports that portscan2 reported. Sometime clients browsing websites cause portscan2 to trigger based on the fact that some browsers initiate a new connection (and thus, new port) for each image. If you haven't change the config, there should be a scan.log file in your snort =
log
directory which will have more info. =20 //soren=20 =20 -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com]=20 Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question =20 I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. =20 Thanks =20 Joe =20 =20 =20 =20 =20 ------------------------------------------------------- This sf.net email is sponsored by: Influence the future=20 of Java(TM) technology. Join the Java Community=20 Process(SM) (JCP(SM)) program now.=20 http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users =20 =20 ------------------------------------------------------- This sf.net email is sponsored by: Influence the future=20 of Java(TM) technology. Join the Java Community=20 Process(SM) (JCP(SM)) program now.=20 http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users
-- __--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest --__--__-- Message: 2 From: Soren Macbeth <smacbeth () atc-nycorp com> To: 'Joe Giles' <jgiles () joeman1 com>, Soren Macbeth <smacbeth () atc-nycorp com> Cc: Snort-List <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Portscan 2 question Date: Thu, 24 Oct 2002 14:32:59 -0400 I'm not sure about the udp dport 27160 stuff. Are you running some application on that port? Its all traffic to on particular host. You may want to check into that. The second one is definitely benign web browsing. //soren -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Thursday, October 24, 2002 2:26 PM To: Soren Macbeth Cc: Snort-List Subject: RE: [Snort-users] Portscan 2 question Here is what I found in that scan.log file for the 2 dest IP's... Instance 1> 10/17-14:29:25.712618 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525 10/18-12:05:07.946026 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1641 dport: 27160 tgts: 9 ports: 130 event_id: 400 10/18-13:22:24.504843 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 2804 dport: 27160 tgts: 8 ports: 121 event_id: 433 10/18-13:33:27.113376 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 3782 dport: 27160 tgts: 9 ports: 139 event_id: 450 10/18-13:36:00.675879 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 4825 dport: 27160 tgts: 10 ports: 158 event_id: 458 10/18-14:52:00.545930 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021 10/18-19:04:12.292185 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161 10/19-12:38:43.719170 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417 10/19-19:16:04.828533 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585 10/19-19:41:53.321697 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600 10/19-21:13:32.829862 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639 10/22-14:51:35.899289 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33952 dport: 27160 tgts: 3 ports: 21 event_id: 0 Instance 2> 10/23-11:17:52.681476 TCP src: <INTERNALIP> dst: 206.65.183.110 sport: 1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0 What do you think? Thanks Joe On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
Looks at the ports that portscan2 reported. Sometime clients browsing websites cause portscan2 to trigger based on the fact that some browsers initiate a new connection (and thus, new port) for each image. If you haven't change the config, there should be a scan.log file in your snort
log
directory which will have more info. //soren -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. Thanks Joe ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 3 Date: Thu, 24 Oct 2002 11:58:01 -0700 From: Gary Verhulp <garyv () cips nokia com> Reply-To: gary.verhulp () nokia com To: Joe Giles <jgiles () joeman1 com>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Portscan 2 question on most unix that I'm familiar with,it's "last" not "lasts" what OS are you on? what's the ports used in the scan? can you post a section of the alert? Gary Joe Giles wrote:
Well, I'm not RUNNING a DNS server, but I use one. My ISP's DNS... Should I add that to the list? Also, I don't seem to have the 'lasts' command. What package is that part of? Thanks for the reply Joe On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:At 11:22 AM 10/24/02 -0600, you wrote:I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. Thanks JoeAre you, by chance, running DNS? You should add your DNS servers to the list of portscan2-ignorehosts, otherwise you will get this sort of activity. If you are not running DNS, then check the "lasts" command to see who has been on your system. (Or who has been appearing as someone on your system.) -Robby Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #2408 - 3 msgs Mike Cole (Oct 24)