Snort mailing list archives
Re: Snort-users digest, Vol 1 #2420 - 2 msgs
From: "Mike Cole" <Mike.Cole () stanct org>
Date: Thu, 24 Oct 2002 13:17:51 -0700
I'm out of the office until Monday the 28th. If this is a pressing matter, please call me @ 209.569.3910 and I'll do my best to get back to you. Mike
snort-users 10/24/02 13:05 >>>
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Snort Center - File size limit exceeded (Andy Stein) 2. Re: Snort-users digest, Vol 1 #2418 - 1 msg (Mike Cole) --__--__-- Message: 1 Date: Thu, 24 Oct 2002 16:02:40 -0400 (EDT) From: "Andy Stein" <andy () droidmcse com> To: <snort-users () lists sourceforge net> Reply-To: andy () droidmcse com Subject: [Snort-users] Snort Center - File size limit exceeded I have a sensor that after I push the configuration to the sensor, the sensor will not start. Running this command [root@mnnslx10 snort]#snort -U -o -c /etc/snort/snort.eth0.conf <snip> 1033 Snort rules read... 1033 Option Chains linked into 153 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->pass->activation->dynamic->alert->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.9.0 (Build 209) By Martin Roesch (roesch () sourcefire com, www.snort.org) File size limit exceeded What file size limit have I exceeded? Thanks! Andy --__--__-- Message: 2 Date: Thu, 24 Oct 2002 13:08:24 -0700 From: "Mike Cole" <Mike.Cole () stanct org> Reply-To: Mike.Cole () stanct org To: <snort-users () lists sourceforge net> Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2418 - 1 msg I'm out of the office until Monday the 28th. If this is a pressing = matter, please call me @ 209.569.3910 and I'll do my best to get back to = you. Mike
snort-users 10/24/02 12:47 >>>
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Snort-users digest, Vol 1 #2416 - 2 msgs (Mike Cole) -- __--__-- Message: 1 Date: Thu, 24 Oct 2002 12:50:44 -0700 From: "Mike Cole" <Mike.Cole () stanct org> Reply-To: Mike.Cole () stanct org To: <snort-users () lists sourceforge net> Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2416 - 2 msgs I'm out of the office until Monday the 28th. If this is a pressing =3D matter, please call me @ 209.569.3910 and I'll do my best to get back to = =3D you. Mike
snort-users 10/24/02 12:39 >>>
Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Portscan 2 question (Brian F. Vaughan) 2. RE: Re: Snort-users digest, Vol 1 #2413 - 1 msg (darnell.poulin@cma.c= =3D a) -- __--__-- =20 Message: 1 Subject: RE: [Snort-users] Portscan 2 question Date: Thu, 24 Oct 2002 15:33:15 -0400 From: "Brian F. Vaughan" <bvaughan () wgen net> To: "Soren Macbeth" <smacbeth () atc-nycorp com>, "Joe Giles" <jgiles () joeman1 com> Cc: "Snort-List" <snort-users () lists sourceforge net> Have you performed an nslookup on the dst ip. It is an ISP that may have = =3D =3D3D a user hosting a game server or something as it is going to a =3D3D high-numbered UDP port. Should also check the internal machine that is = =3D3D the src to make sure there isn't a virus or some backdoor program =3D3D sending info back to the dst ip. Brian Vaughan IT Administrator -----Original Message----- From: Soren Macbeth [mailto:smacbeth () atc-nycorp com] Sent: Thursday, October 24, 2002 2:33 PM To: 'Joe Giles'; Soren Macbeth Cc: Snort-List Subject: RE: [Snort-users] Portscan 2 question I'm not sure about the udp dport 27160 stuff. Are you running some application on that port? Its all traffic to on particular host. You may want to check into that. The second one is definitely benign web browsing. //soren -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com]=3D3D20 Sent: Thursday, October 24, 2002 2:26 PM To: Soren Macbeth Cc: Snort-List Subject: RE: [Snort-users] Portscan 2 question Here is what I found in that scan.log file for the 2 dest IP's...=3D3D20 Instance 1> 10/17-14:29:25.712618 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525 10/18-12:05:07.946026 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1641 dport: 27160 tgts: 9 ports: 130 event_id: 400 10/18-13:22:24.504843 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 2804 dport: 27160 tgts: 8 ports: 121 event_id: 433 10/18-13:33:27.113376 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 3782 dport: 27160 tgts: 9 ports: 139 event_id: 450 10/18-13:36:00.675879 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 4825 dport: 27160 tgts: 10 ports: 158 event_id: 458 10/18-14:52:00.545930 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021 10/18-19:04:12.292185 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161 10/19-12:38:43.719170 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417 10/19-19:16:04.828533 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585 10/19-19:41:53.321697 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600 10/19-21:13:32.829862 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639 10/22-14:51:35.899289 UDP src: <INTERNALIP> dst: 207.19.97.119 sport: 33952 dport: 27160 tgts: 3 ports: 21 event_id: 0 Instance 2> 10/23-11:17:52.681476 TCP src: <INTERNALIP> dst: 206.65.183.110 sport: 1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0 What do you think? Thanks Joe On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
Looks at the ports that portscan2 reported. Sometime clients browsing websites cause portscan2 to trigger based on the fact that some =3D3D
browsers
initiate a new connection (and thus, new port) for each image. If you haven't change the config, there should be a scan.log file in your =3D3D
snort log
directory which will have more info. =3D3D20 //soren=3D3D20 =3D3D20 -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com]=3D3D20 Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question =3D3D20 I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does =
=3D3D the
new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their =3D3D
network.
=3D3D20 Thanks =3D3D20 Joe =3D3D20 =3D3D20 =3D3D20 =3D3D20 =3D3D20 ------------------------------------------------------- This sf.net email is sponsored by: Influence the future=3D3D20 of Java(TM) technology. Join the Java Community=3D3D20 Process(SM) (JCP(SM)) program now.=3D3D20 http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3D3D3Dsnort-users =3D3D20 =3D3D20 ------------------------------------------------------- This sf.net email is sponsored by: Influence the future=3D3D20 of Java(TM) technology. Join the Java Community=3D3D20 Process(SM) (JCP(SM)) program now.=3D3D20 http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3D3D3Dsnort-users
------------------------------------------------------- This sf.net email is sponsored by: Influence the future=3D3D20 of Java(TM) technology. Join the Java Community=3D3D20 Process(SM) (JCP(SM)) program now.=3D3D20 http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=3D3D3Dsnort-users -- __--__-- =20 Message: 2 From: darnell.poulin () cma ca Date: Thu, 24 Oct 2002 15:39:08 -0400 To: Mike.Cole () stanct org, snort-users () lists sourceforge net Subject: RE: [Snort-users] Re: Snort-users digest, Vol 1 #2413 - 1 msg OK, I think it's about time to temporarily take this gent off of the =3D list=3D3D2E=3D3D2E=3D3D2E -----Original Message----- From: Mike=3D3D2ECole@stanct=3D3D2Eorg=3D3D20=3D3D Sent: Thursday, October 24, 2002 3:30 PM To: snort-users@lists=3D3D2Esourceforge=3D3D2Enet Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2413 - 1 msg I'm out of the office until Monday the 28th=3D3D2E If this is a pressing = =3D matter,=3D3D20=3D3D please call me @ 209=3D3D2E569=3D3D2E3910 and I'll do my best to get back = to =3D you=3D3D2E Mike
snort-users 10/24/02 12:16 >>>
Send Snort-users mailing list submissions to snort-users@lists=3D3D2Esourceforge=3D3D2Enet To subscribe or unsubscribe via the World Wide Web, visit https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-user= s or, via email, send a message with subject or body 'help' to snort-users-request@lists=3D3D2Esourceforge=3D3D2Enet You can reach the person managing the list at snort-users-admin@lists=3D3D2Esourceforge=3D3D2Enet When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest=3D3D2E=3D3D2E=3D3D2E" Today's Topics: 1=3D3D2E Re: Snort-users digest, Vol 1 #2412 - 1 msg (Mike Cole) -- __--__-- =3D20 Message: 1 Date: Thu, 24 Oct 2002 12:20:02 -0700 From: "Mike Cole" <Mike=3D3D2ECole@stanct=3D3D2Eorg> Reply-To: Mike=3D3D2ECole@stanct=3D3D2Eorg To: <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2412 - 1 msg I'm out of the office until Monday the 28th=3D3D2E If this is a pressing = =3D =3D3D3D matter, please call me @ 209=3D3D2E569=3D3D2E3910 and I'll do my best to = get =3D back to =3D3D3D you=3D3D2E Mike
snort-users 10/24/02 12:09 >>>
Send Snort-users mailing list submissions to snort-users@lists=3D3D2Esourceforge=3D3D2Enet To subscribe or unsubscribe via the World Wide Web, visit https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-user= s or, via email, send a message with subject or body 'help' to snort-users-request@lists=3D3D2Esourceforge=3D3D2Enet You can reach the person managing the list at snort-users-admin@lists=3D3D2Esourceforge=3D3D2Enet When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest=3D3D2E=3D3D2E=3D3D2E" Today's Topics: 1=3D3D2E Re: Snort-users digest, Vol 1 #2411 - 4 msgs (Mike Cole) -- __--__-- Message: 1 Date: Thu, 24 Oct 2002 12:12:53 -0700 From: "Mike Cole" <Mike=3D3D2ECole@stanct=3D3D2Eorg> Reply-To: Mike=3D3D2ECole@stanct=3D3D2Eorg To: <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2411 - 4 msgs I'm out of the office until Monday the 28th=3D3D2E If this is a pressing = =3D =3D3D3D3D matter, please call me @ 209=3D3D2E569=3D3D2E3910 and I'll do my best to = get =3D back to =3D3D3D =3D3D3D3D you=3D3D2E Mike
snort-users 10/24/02 12:02 >>>
Send Snort-users mailing list submissions to snort-users@lists=3D3D2Esourceforge=3D3D2Enet To subscribe or unsubscribe via the World Wide Web, visit https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-user= s or, via email, send a message with subject or body 'help' to snort-users-request@lists=3D3D2Esourceforge=3D3D2Enet You can reach the person managing the list at snort-users-admin@lists=3D3D2Esourceforge=3D3D2Enet When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest=3D3D2E=3D3D2E=3D3D2E" Today's Topics: 1=3D3D2E RE: Portscan 2 question (Joe Giles) 2=3D3D2E Is this a valid rule? (Lefevre, Steven) 3=3D3D2E Re: dual inteface? (Phil Wood) 4=3D3D2E Re: Snort-users digest, Vol 1 #2410 - 3 msgs (Mike Cole) -- __--__-- =3D3D3D20 Message: 1 Subject: RE: [Snort-users] Portscan 2 question From: Joe Giles <jgiles@joeman1=3D3D2Ecom> To: "Hicks, John" <JHicks@JUSTICE=3D3D2EGC=3D3D2ECA> Cc: Snort-List <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Date: 24 Oct 2002 12:51:31 -0600 Well, I do use AIM=3D3D2E I also have a Game server running on port 27016 = =3D and 27017=3D3D2E=3D3D3D3D20 If this is normal TCP/UDP communication, I'm OK with that=3D3D2E I was = just concerned that someone hacked me and was using my machine as a proxy to attack other machines(Or at least scan other machines)=3D3D2E But I cant = see any evidence of that=3D3D2E I have checked the logs, bash_history of my = few users, and a neat tool called last=3D3D2E I also ran a root kit check=3D3D2= E =3D So, at this point, I'm pretty sure that it is just normal traffic=3D3D2E Just = threw me off guard cause I have never seen this before in ACID=3D3D2E=3D3D2E=3D3D= 2E Thanks Joe On Thu, 2002-10-24 at 12:38, Hicks, John wrote:
Instance #2 is what I was assuming your issue to be=3D3D2E Instance #1 =
=3D imho =3D3D3D =3D3D3D3D needs
more correlation, but given UDP and the destination port being the same, =
=3D =3D3D3D =3D3D3D3D i'd
assume maybe IM? =3D3D3D3D20 John =3D3D3D3D20 -----Original Message----- From: Joe Giles [mailto:jgiles@joeman1=3D3D2Ecom] Sent: Thursday, October 24, 2002 2:26 PM To: Soren Macbeth Cc: Snort-List Subject: RE: [Snort-users] Portscan 2 question =3D3D3D3D20 =3D3D3D3D20 Here is what I found in that scan=3D3D2Elog file for the 2 dest =3D
IP's=3D3D2E=3D3D2E=3D3D2E=3D3D3D3D2=3D3D 0
=3D3D3D3D20 Instance 1> 10/17-14:29:25=3D3D2E712618 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525 10/18-12:05:07=3D3D2E946026 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
1641 dport: 27160 tgts: 9 ports: 130 event_id: 400 10/18-13:22:24=3D3D2E504843 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
2804 dport: 27160 tgts: 8 ports: 121 event_id: 433 10/18-13:33:27=3D3D2E113376 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
3782 dport: 27160 tgts: 9 ports: 139 event_id: 450 10/18-13:36:00=3D3D2E675879 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
4825 dport: 27160 tgts: 10 ports: 158 event_id: 458 10/18-14:52:00=3D3D2E545930 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021 10/18-19:04:12=3D3D2E292185 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161 10/19-12:38:43=3D3D2E719170 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417 10/19-19:16:04=3D3D2E828533 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585 10/19-19:41:53=3D3D2E321697 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600 10/19-21:13:32=3D3D2E829862 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639 10/22-14:51:35=3D3D2E899289 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D=
2E97=3D =3D3D2E119 sport:
33952 dport: 27160 tgts: 3 ports: 21 event_id: 0 =3D3D3D3D20 Instance 2> 10/23-11:17:52=3D3D2E681476 TCP src: <INTERNALIP> dst: 206=3D3D2E65=3D3D=
2E183=3D =3D3D2E110 sport:
1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0 =3D3D3D3D20 What do you think? =3D3D3D3D20 Thanks =3D3D3D3D20 Joe =3D3D3D3D20 =3D3D3D3D20 On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:Looks at the ports that portscan2 reported=3D3D2E Sometime clients =3D
browsing
websites cause portscan2 to trigger based on the fact that some =3D
=3D3D3D3D browsers
initiate a new connection (and thus, new port) for each image=3D3D2E =
If =3D you
haven't change the config, there should be a scan=3D3D2Elog file in =
your =3D =3D3D3D3D snort
logdirectory which will have more info=3D3D2E =3D3D3D3D20 //soren=3D3D3D3D20 =3D3D3D3D20 -----Original Message----- From: Joe Giles [mailto:jgiles@joeman1=3D3D2Ecom]=3D3D3D3D20 Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question =3D3D3D3D20 I have a weird problem with 2 entries in my ACID database=3D3D2E =3D
Apparently,
my server did a port scan on a remote machine=3D3D2E The problem is =
that =3D no
one here initiated a port scan=3D3D2E The database lists my server IP =
as =3D the
source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3=
D2E =3D Does =3D3D3D =3D3D3D3D the
new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their =
=3D3D3D3D network=3D3D2E
=3D3D3D3D20 Thanks =3D3D3D3D20 Joe =3D3D3D3D20 =3D3D3D3D20 =3D3D3D3D20 =3D3D3D3D20 =3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D2=
0
of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm00=
03en
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D=
3Dsnort-=3D users
=3D3D3D3D20 =3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D2=
0
of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm00=
03en
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D=
3Dsnort-=3D users
=3D3D3D3D20 =3D3D3D3D20 =3D3D3D3D20 =3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D20 of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003=
en
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D=
snort-us=3D ers -- __--__-- =3D3D3D20 Message: 2 From: SLefevre@i-m-i-international=3D3D2Ecom (Lefevre, Steven) To: "Snort-List" <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Date: Thu, 24 Oct 2002 14:52:24 -0400 Subject: [Snort-users] Is this a valid rule? I have this rule in my local rule file: alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity") (It's to detect IRC traffic ;) Why does snort always choke on it? I've looked it over 100 times and it seems to follow the syntax=3D3D2E -- __--__-- =3D3D3D20 Message: 3 From: Phil Wood <cpw@lanl=3D3D2Egov> Date: Thu, 24 Oct 2002 13:00:30 -0600 To: Daniel Curry <dcurry@corio=3D3D2Ecom> Cc: snort-users@lists=3D3D2Esourceforge=3D3D2Enet Subject: Re: [Snort-users] dual inteface? If you have an os and pcap that supports the "any" interface, then you =3D =3D3D3D3D could: snort =3D3D2E=3D3D2E=3D3D2E -i any =3D3D2E=3D3D2E=3D3D2E This may not be what you want since you get all the interfaces on your =3D =3D3D3D3D box=3D3D2E I found that it did not appear to work with shared libraries (but that might be due to some funny stuff on my end)=3D3D2E So, I built a static snort=3D3D2E (add -static to LDFLAGS and reload, might need -lz at tail end of load line)=3D3D2E On Thu, Oct 24, 2002 at 08:28:04AM -0700, Daniel Curry wrote:
I had lost the email that gave information on how to configure snort to see two, eth2 and eth3, promicus interfaces on a redhat 7=3D3D2E2 system? I did not see the information in http://sourceforge=3D3D2Enet/mailarchiv=
e=3D =3D3D2E
Thank you=3D3D2E =3D3D3D3D20 --=3D3D3D3D20 Daniel Curry DIRECT 650-232-4006 FAX 650-232-3200 PGP AD5A 96DC 7556 A020 B8E7 0E4D 5D5E 9BA5 C83E 8C92 =3D3D3D3D20 =3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D20 of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D20 http://ad=3D3D2Edoubleclick=3D3D2Enet/clk;4729346;7592162;s?http://www=3D=
3D2Esu=3D n=3D3D2Ecom/java=3D3D vo=3D3D3D =3D3D3D3D te
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D=
snort-us=3D ers --=3D3D3D3D20 Phil Wood, cpw@lanl=3D3D2Egov -- __--__-- =3D3D3D20 Message: 4 Date: Thu, 24 Oct 2002 12:05:10 -0700 From: "Mike Cole" <Mike=3D3D2ECole@stanct=3D3D2Eorg> Reply-To: Mike=3D3D2ECole@stanct=3D3D2Eorg To: <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2410 - 3 msgs I'm out of the office until Monday the 28th=3D3D2E If this is a pressing = =3D =3D3D3D3D3D matter, please call me @ 209=3D3D2E569=3D3D2E3910 and I'll do my best to = get =3D back to =3D3D3D =3D3D3D3D =3D3D3D3D3D you=3D3D2E Mike
snort-users 10/24/02 11:51 >>>
Send Snort-users mailing list submissions to snort-users@lists=3D3D2Esourceforge=3D3D2Enet To subscribe or unsubscribe via the World Wide Web, visit https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-user= s or, via email, send a message with subject or body 'help' to snort-users-request@lists=3D3D2Esourceforge=3D3D2Enet You can reach the person managing the list at snort-users-admin@lists=3D3D2Esourceforge=3D3D2Enet When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest=3D3D2E=3D3D2E=3D3D2E" Today's Topics: 1=3D3D2E RE: Portscan 2 question (Hicks, John) 2=3D3D2E Snort 1=3D3D2E9=3D3D2E0 on Windows and MSSQL (Robbins, Mark) 3=3D3D2E Re: Snort-users digest, Vol 1 #2409 - 1 msg (Mike Cole) -- __--__-- =3D3D3D3D20 Message: 1 From: "Hicks, John" <JHicks@JUSTICE=3D3D2EGC=3D3D2ECA> To: 'Joe Giles' <jgiles@joeman1=3D3D2Ecom> Cc: "Snort Users (E-mail)" <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Subject: RE: [Snort-users] Portscan 2 question Date: Thu, 24 Oct 2002 14:33:24 -0400 it's 'last' and again, *any* service allowing ephemeral ports may cause = =3D =3D3D3D =3D3D3D3D =3D3D3D3D3D this not just DNS=3D3D2E cheers, John -----Original Message----- From: Joe Giles [mailto:jgiles@joeman1=3D3D2Ecom] Sent: Thursday, October 24, 2002 2:13 PM To: Robby Desmond Cc: Snort-List Subject: Re: [Snort-users] Portscan 2 question Well, I'm not RUNNING a DNS server, but I use one=3D3D2E My ISP's = DNS=3D3D2E=3D3D=3D 2E=3D3D2E Should I add that to the list?=3D3D3D3D3D20 Also, I don't seem to have the 'lasts' command=3D3D2E What package is that part of? Thanks for the reply Joe On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
At 11:22 AM 10/24/02 -0600, you wrote:I have a weird problem with 2 entries in my ACID database=3D3D2E =3D
Apparently,
my server did a port scan on a remote machine=3D3D2E The problem is =
that =3D no
one here initiated a port scan=3D3D2E The database lists my server IP =
as =3D the
source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3D=
2E =3D Does the
new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their =3D
network=3D3D2E
Thanks Joe=3D3D3D3D3D20 Are you, by chance, running DNS? =3D3D3D3D3D20 You should add your DNS servers to the list of portscan2-ignorehosts,=3D3=
D3=3D D3D3=3D3D3D D2=3D3D3D3D 0
otherwise you will get this sort of activity=3D3D2E =3D3D3D3D3D20 If you are not running DNS, then check the "lasts" command to see who =
=3D =3D3D3D =3D3D3D3D =3D3D3D3D3D has=3D3D3D3D3D20
been on your system=3D3D2E (Or who has been appearing as someone on your
system=3D3D2E)
=3D3D3D3D3D20 -Robby =3D3D3D3D3D20 Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906
------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D20 of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003en= _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D3D= snort-us=3D ers -- __--__-- =3D3D3D3D20 Message: 2 From: "Robbins, Mark" <MRobbins@sf=3D3D2Eedu> To: snort-users@lists=3D3D2Esourceforge=3D3D2Enet Date: Thu, 24 Oct 2002 13:43:46 -0500 Subject: [Snort-users] Snort 1=3D3D2E9=3D3D2E0 on Windows and MSSQL This message is in MIME format=3D3D2E Since your mail reader does not =3D understand this format, some or all of this message may not be legible=3D3D2E ------_=3D3D3D3D3D3D_NextPart_001_01C27B8D=3D3D2E48E86470 Content-Type: text/plain Has anyone gotten Snort 1=3D3D2E9=3D3D2E0 to log to an MSSQL database with = the =3D =3D3D3D3D3D available (compiled) executables? I am getting the error message=3D3D3D3D3D20 database: SQL Server message 156, state 1, severity 15: Incorrect syntax near the keyword 'schema'=3D3D2E database: The above error was caused by the following statement: SELECT vseq FROM schema In MSSQL, schema is a reserved word, and the syntax would have to be =3D =3D3D3D3D3D SELECT vseq FROM [schema] for this to work=3D3D2E I have used previous versions = of =3D =3D3D3D =3D3D3D3D3D snort to log to MSSQL with no difficulty=3D3D2E Could this problem arise from a configuration mistake I have made, or is = =3D =3D3D3D =3D3D3D3D =3D3D3D3D3D the problem in snort=3D3D2Eexe itself? Thanks for any help you can provide=3D3D2E Mark Robbins ------_=3D3D3D3D3D3D_NextPart_001_01C27B8D=3D3D2E48E86470 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3=3D3D2E2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D3D3D3D3D3D3D"Content-Type" CONTENT=3D3D3D3D3D3D3D"text/h= tml;=3D =3D3D3D =3D3D3D3D3D3D charset=3D3D3D3D3D3D3Dus-ascii"> <META NAME=3D3D3D3D3D3D3D"Generator" CONTENT=3D3D3D3D3D3D3D"MS Exchange = Server =3D version =3D3D3D =3D3D3D3D =3D3D3D3D3D3D 5=3D3D2E5=3D3D2E2653=3D3D2E12"> <TITLE>Snort 1=3D3D2E9=3D3D2E0 on Windows and MSSQL</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D"Arial">Has anyone gotten = =3D Snort 1=3D3D2E9=3D3D2E=3D3D 0 =3D3D3D to =3D3D3D3D log =3D3D3D3D3D =3D3D3D3D3D3D to an MSSQL database with the available (compiled) executables?</FONT> </P> <P><FONT SIZE=3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D"Arial">I am getting the = =3D error =3D3D3D message =3D3D3D3D =3D3D3D3D3D </FONT> </P> <P><FONT SIZE=3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D"Arial">database: SQL = Server =3D message =3D3D3D 156, =3D3D3D3D =3D3D3D3D3D3D state 1, severity 15:<BR> Incorrect syntax near the keyword 'schema'=3D3D2E</FONT> <BR><FONT SIZE=3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D"Arial">database: The = above =3D error =3D3D3D was =3D3D3D3D caused =3D3D3D3D3D =3D3D3D3D3D3D by the following statement:<BR> SELECT vseq FROM schema</FONT> </P> <P><FONT SIZE=3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D"Arial">In MSSQL, schema = is a =3D =3D3D3D reserved =3D3D3D3D word, =3D3D3D3D3D =3D3D3D3D3D3D and the syntax would have to be SELECT vseq FROM [schema] for this to =3D =3D3D3D3D =3D3D3D3D3D3D work=3D3D2E I have used previous versions of snort to log to MSSQL with no = =3D =3D3D3D =3D3D3D3D3D3D difficulty=3D3D2E</FONT></P> <P><FONT SIZE=3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D"Arial">Could this = problem =3D arise from =3D3D3D a =3D3D3D3D =3D3D3D3D3D3D configuration mistake I have made, or is the problem in snort=3D3D2Eexe = =3D =3D3D3D3D3D3D itself?</FONT> </P> <P><FONT SIZE=3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D"Arial">Thanks for any = help =3D you can =3D3D3D =3D3D3D3D3D3D provide=3D3D2E</FONT> </P> <P><FONT SIZE=3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D"Arial">Mark Robbins</FONT=
</P> </BODY> </HTML> ------_=3D3D3D3D3D3D_NextPart_001_01C27B8D=3D3D2E48E86470-- -- __--__-- =3D3D3D3D20 Message: 3 Date: Thu, 24 Oct 2002 11:54:27 -0700 From: "Mike Cole" <Mike=3D3D2ECole@stanct=3D3D2Eorg> Reply-To: Mike=3D3D2ECole@stanct=3D3D2Eorg To: <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2409 - 1 msg I'm out of the office until Monday the 28th=3D3D2E If this is a pressing = =3D =3D3D3D =3D3D3D3D3D3D matter, please call me @ 209=3D3D2E569=3D3D2E3910 and I'll do my best to = get =3D back to =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D you=3D3D2E Mike
snort-users 10/24/02 11:43 >>>
Send Snort-users mailing list submissions to snort-users@lists=3D3D2Esourceforge=3D3D2Enet To subscribe or unsubscribe via the World Wide Web, visit https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-user= s or, via email, send a message with subject or body 'help' to snort-users-request@lists=3D3D2Esourceforge=3D3D2Enet You can reach the person managing the list at snort-users-admin@lists=3D3D2Esourceforge=3D3D2Enet When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest=3D3D2E=3D3D2E=3D3D2E" Today's Topics: 1=3D3D2E Re: Snort-users digest, Vol 1 #2408 - 3 msgs (Mike Cole) -- __--__-- =3D3D3D3D3D20 Message: 1 Date: Thu, 24 Oct 2002 11:46:29 -0700 From: "Mike Cole" <Mike=3D3D2ECole@stanct=3D3D2Eorg> Reply-To: Mike=3D3D2ECole@stanct=3D3D2Eorg To: <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2408 - 3 msgs I'm out of the office until Monday the 28th=3D3D2E If this is a pressing = =3D =3D3D3D3D =3D3D3D3D3D3D3D matter, please call me @ 209=3D3D2E569=3D3D2E3910 and I'll do my best to = get =3D back to =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D you=3D3D2E Mike
snort-users 10/24/02 11:36 >>>
Send Snort-users mailing list submissions to snort-users@lists=3D3D2Esourceforge=3D3D2Enet To subscribe or unsubscribe via the World Wide Web, visit https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-user= s or, via email, send a message with subject or body 'help' to snort-users-request@lists=3D3D2Esourceforge=3D3D2Enet You can reach the person managing the list at snort-users-admin@lists=3D3D2Esourceforge=3D3D2Enet When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest=3D3D2E=3D3D2E=3D3D2E" Today's Topics: 1=3D3D2E Re: Snort-users digest, Vol 1 #2407 - 12 msgs (Mike Cole) 2=3D3D2E RE: Portscan 2 question (Soren Macbeth) 3=3D3D2E Re: Portscan 2 question (Gary Verhulp) -- __--__-- =3D3D3D3D3D3D20 Message: 1 Date: Thu, 24 Oct 2002 11:36:47 -0700 From: "Mike Cole" <Mike=3D3D2ECole@stanct=3D3D2Eorg> Reply-To: Mike=3D3D2ECole@stanct=3D3D2Eorg To: <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2407 - 12 msgs I'm out of the office until Monday the 28th=3D3D2E If this is a pressing = =3D =3D3D3D3D3D =3D3D3D3D3D3D3D3D matter, please call me @ 209=3D3D2E569=3D3D2E3910 and I'll do my best to = get =3D back to =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D you=3D3D2E Mike
snort-users 10/24/02 11:26 >>>
Send Snort-users mailing list submissions to snort-users@lists=3D3D2Esourceforge=3D3D2Enet To subscribe or unsubscribe via the World Wide Web, visit https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-user= s or, via email, send a message with subject or body 'help' to snort-users-request@lists=3D3D2Esourceforge=3D3D2Enet You can reach the person managing the list at snort-users-admin@lists=3D3D2Esourceforge=3D3D2Enet When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest=3D3D2E=3D3D2E=3D3D2E" Today's Topics: 1=3D3D2E RE: UDP packet supposedly DROPped, but seen by snor t anyway (Matt Yackley) 2=3D3D2E RE: UDP packet supposedly DROPped, but seen by snort anyway = (Jan =3D =3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D3D Ploski) 3=3D3D2E RE: PROBLEMAS (Kreimendahl, Chad J) 4=3D3D2E Portscan 2 question (Joe Giles) 5=3D3D2E Re: dual inteface? (Bennett Todd) 6=3D3D2E RE: Portscan 2 question (Joe Giles) 7=3D3D2E RE: Portscan 2 question (Soren Macbeth) 8=3D3D2E Re: Portscan 2 question (Joe Giles) 9=3D3D2E Re: Portscan 2 question (Joe Giles) 10=3D3D2E Re: Portscan 2 question (Joe Giles) 11=3D3D2E RE: Portscan 2 question (Joe Giles) -- __--__-- =3D3D3D3D3D3D3D20 Message: 1 From: Matt Yackley <Matt=3D3D2EYackley@perkinswill=3D3D2Ecom> To: 'Jan Ploski' <jpljpl@gmx=3D3D2Ede>, snort-users@lists=3D3D2Esourceforge= =3D3D2=3D Enet Subject: RE: [Snort-users] UDP packet supposedly DROPped, but seen by snor t anyway Date: Thu, 24 Oct 2002 11:23:35 -0500 Jan, it sounds like you are running Snort on the iptables box, AFAIK =3D =3D3D3D3D3D =3D3D3D3D3D3D3D3D libpcap grabs the packet when it hits the NIC, iptables is rejecting the packet = =3D =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D but that happens at a higher level than libpcap & snort work at=3D3D2E = =3D3D3D3D3D3=3D D3D3D20 Others here will expand more but my guess as to why the TCP is not picked = =3D =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D up by snort is due to the way the rules are written and the way TCP connection= =3D =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D s are handled=3D3D2E Most rules for TCP type connections will require a = 3way handshake to be completed before something like a cmd=3D3D2Eexe attempt is = =3D sent=3D3D2E If this type of connection is blocked at the start it never gets to the point of sending a packet that triggers the rule=3D3D2E This UDP rule = will trigger with the first packet sent since it does not need a 3 way = =3D3D3D3D =3D3D3D3D3D3D3D3D handshake to be completed=3D3D2E Anyway, that is my quick stab at this, everyone else please feel free to correct me where I am wrong :) Matt -----Original Message----- From: Jan Ploski [mailto:jpljpl@gmx=3D3D2Ede] Sent: Thursday, October 24, 2002 10:23 AM To: snort-users@lists=3D3D2Esourceforge=3D3D2Enet Subject: [Snort-users] UDP packet supposedly DROPped, but seen by snort anyway Hello, I have the following rule in my Linux iptables configuration: iptables -A block -m state --state NEW -p udp --dport 161 -j DROP Basically, I want to ignore any traffic to UDP port 161=3D3D2E This rule seems to work okay, i=3D3D2Ee=3D3D2E it fires when a packet is sent to the = =3D said port and the packet is never received by the process listening on that port=3D3D2E However, when I run snort in sniffer mode, I can see the packet coming=3D3D2E It also triggers an alert (false positive in this case) according to configured snort rules=3D3D2E My question is, why can this UDP packet, supposedly already dropped by the firewall, be sniffed at? This is not the case for any TCP packets that have been DROPped=3D3D2E Best regards - Jan Ploski ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D3D3= D3D2=3D 0 of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D3D3D3D20 http://ad=3D3D2Edoubleclick=3D3D2Enet/clk;4729346;7592162;s?http://www=3D3D= 2Esun=3D =3D3D2Ecom/javavo=3D3D te=3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D3D= 3D3D3Dsn=3D ort-users -- __--__-- =3D3D3D3D3D3D3D20 Message: 2 Date: Thu, 24 Oct 2002 18:41:34 +0200 (CEST) From: Jan Ploski <jpljpl@gmx=3D3D2Ede> To: snort-users@lists=3D3D2Esourceforge=3D3D2Enet Subject: RE: [Snort-users] UDP packet supposedly DROPped, but seen by =3D =3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D3D snort anyway On Thu, Oct 24, 2002 at 11:23:35AM -0500, Matt Yackley wrote:
Jan, it sounds like you are running Snort on the iptables box, AFAIK =3D
=3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D3D libpcap
grabs the packet when it hits the NIC, iptables is rejecting the packet =
=3D =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D but
that happens at a higher level than libpcap & snort work at=3D3D2E =3D
=3D3D3D3D3D3D3D3D2=3D3D3D 0
Others here will expand more but my guess as to why the TCP is not =3D
=3D3D3D3D3D =3D3D3D3D3D3D3D3D picked up
by snort is due to the way the rules are written and the way TCP =
=3D3D3D3D =3D3D3D3D3D3D3D3D connections
are handled=3D3D2E Most rules for TCP type connections will require a =
=3D 3way
handshake to be completed before something like a cmd=3D3D2Eexe attempt =
is =3D =3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D3D sent=3D3D2E
If this type of connection is blocked at the start it never gets to the point of sending a packet that triggers the rule=3D3D2E This UDP rule =
=3D will
trigger with the first packet sent since it does not need a 3 way =3D
=3D3D3D3D3D =3D3D3D3D3D3D3D3D handshake
to be completed=3D3D2E =3D3D3D3D3D3D3D3D20 Anyway, that is my quick stab at this, everyone else please feel free to correct me where I am wrong :)
Matt, you are entirely correct, and I have also received similiar suggestions from other people on this list via private email (thanks again!)=3D3D2E The TCP SYN packet used to establish a connection indeed makes it through to snort, much like the UDP packet=3D3D2E Too bad I did not check this before posting=3D3D2E=3D3D2E=3D3D2E :-( As someone else suggested: "write a pass rule for it or you can use a bpf filter (not udp port 161) to ignore the traffic"=3D3D2E This is indeed a good solution, as I know that port 161 is closed on the monitored box=3D3D2E Best regards - Jan Ploski -- __--__-- =3D3D3D3D3D3D3D20 Message: 3 Subject: RE: [Snort-users] PROBLEMAS Date: Thu, 24 Oct 2002 11:46:53 -0500 From: "Kreimendahl, Chad J" <Chad=3D3D2EKreimendahl@umb=3D3D2Ecom> To: "Mario Alberto Soto Cordones" <mario_soto@compuall=3D3D2Ecl>, <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> You may have to translate this back to spanish, 'cause my answer is gonna be in english=3D3D2E 1=3D3D2E Do you have the database tables set up for postgresql? 2=3D3D2E When snort starts, do you see a connection made to the database? 3=3D3D2E If no: Have you configured in snort=3D3D2Econf "output database postgresql: =3D3D2E=3D3D2E=3D3D2E=3D3D2E=3D3D2E"? -----Original Message----- From: Mario Alberto Soto Cordones [mailto:mario_soto@compuall=3D3D2Ecl]=3D3= D3D3=3D D3D3D3D3=3D3D3D D3=3D3D3D3D D2=3D3D3D3D3D 0 Sent: Thursday, October 24, 2002 1:09 PM To: snort-users@lists=3D3D2Esourceforge=3D3D2Enet Subject: [Snort-users] PROBLEMAS Tengo instalado snort en un RH 8=3D3D2E0, y quiero enviar los logs a una = =3D base de=3D3D3D3D3D3D3D3D3D20 datos postgresql para que interactue con acid=3D3D2E Mi problema es que no se llena la base de datos con los alert del =3D snort=3D3D2E Ayudenme porfavor=3D3D2E ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D3D3= D3D3=3D D20 of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D3D3D3D3D20 http://ad=3D3D2Edoubleclick=3D3D2Enet/clk;4729346;7592162;s?http://www=3D3D= 2Esun=3D =3D3D2Ecom/javav ote _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D3D= 3D3D3D3D=3D snort-users -- __--__-- =3D3D3D3D3D3D3D20 Message: 4 From: Joe Giles <jgiles@joeman1=3D3D2Ecom> To: Snort-List <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Date: 24 Oct 2002 11:22:36 -0600 Subject: [Snort-users] Portscan 2 question I have a weird problem with 2 entries in my ACID database=3D3D2E Apparently= , my server did a port scan on a remote machine=3D3D2E The problem is that = no one here initiated a port scan=3D3D2E The database lists my server IP as = the source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3D2E = =3D Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network=3D3D= 2E=3D Thanks Joe -- __--__-- =3D3D3D3D3D3D3D20 Message: 5 Date: Thu, 24 Oct 2002 13:28:44 -0400 From: Bennett Todd <bet@rahul=3D3D2Enet> To: Daniel Curry <dcurry@corio=3D3D2Ecom> Cc: snort-users@lists=3D3D2Esourceforge=3D3D2Enet Subject: Re: [Snort-users] dual inteface? --4zI0WCX1RcnW9Hbu Content-Type: text/plain; charset=3D3D3D3D3D3D3D3D3Dus-ascii Content-Disposition: inline 2002-10-24-11:28:04 Daniel Curry:
I had lost the email that gave information on how to configure snort to see two, eth2 and eth3, promicus interfaces on a redhat 7=3D3D2E2 system?
I think you're perhaps talking about this? ---------------------------------------------------------------------------= =3D =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D --- Version 1=3D3D2E2 --- that promisc is only needed on the bond0 interface Version 1=3D3D2E1 --- need to explicitly "promisc" on the ifconfigs; snort's putting the -i bond0 into promisc didn't propogate back through to the underlying eth interfaces=3D3D2E ---------------------------------------------------------------------------= =3D =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D --- In Red Hat 7=3D3D2E3, with the default 2=3D3D2E4=3D3D2E18-3 kernel, it's = really =3D easy to bond multiple channels to snort them all=3D3D2E The technique is documented in /usr/src/linux/Documentation/networking/bonding=3D3D2Etxt=3D3= D2E In brief: grep bond0 /etc/modules=3D3D2Econf || echo alias bond0 bonding =3D
/etc/modu=3D3D3D
=3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D les=3D3D2Econf ifconfig bond0 promisc up for if in eth1 eth2 =3D3D2E=3D3D2E=3D3D2E;do ifconfig $if up ifenslave bond0 $if done snort =3D3D2E=3D3D2E=3D3D2E -i bond0 =3D3D2E=3D3D2E=3D3D2E Works great=3D3D2E The ifenslave invocations whinge a bit about all the things they can't do with the unnumbered interfaces, but it all works=3D3D2E I used 3 Compaq DL-320s for a test setup=3D3D2E Each of these comes with two eepro100 interfaces; in one I've added a third such interface in the PCI slot=3D3D2E On each box the eth0 is the mgmt interface (NB when you add a PCI card eepro100 it becomes eth0 and the two builtin NICs renumber to eth1 and eth2)=3D3D2E Besides running the eth0 interfaces to a hub, I tied the two eth1s from the dual-interface traffic generators to the eth1 and eth2 builtins on the 3-interface box, with crossover cables, running 100BaseT=3D3D2E I used the above invocations to get snort cooking with its default sigs, listening to bond0 with eth1 and eth2 enslaved to it=3D3D2E Snort sat idle=3D3D2E I fired up a ping -f on one of the = generators and snort jumped up to 25% CPU; then launched ping -f on the other generator and it jumped to 55%=3D3D2E Each generator was emitting c=3D3D2E 20,000 packets/second, default ping packet size (64 bytes)=3D3D2E When I next tried tcpreplay[1], all was not as happy, until I stumbled across the above-mentioned need to promisc the bond0 interface manually as you're ifconfigging it=3D3D2E Actually, what I first did was ifconfig both the bond0 and the underlying eth# interfaces promisc; that worked too, but was overkill=3D3D2E When I inquired about this matter on the bonding-devel mailing list, they explained to me that flags like promisc _Are_ propogated down to the underlying interfaces, but only at ifenslave time, not later=3D3D2E Once I got that, things got lots more better=3D3D2E Do remember when benchmarking with tcpreplay to make sure to tcpdump -s 0, so you aren't using captures with truncated packets=3D3D2E -Bennett [1] <URL:http://tcpreplay=3D3D2Esf=3D3D2Enet/> --4zI0WCX1RcnW9Hbu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1=3D3D2E0=3D3D2E7 (GNU/Linux) iD8DBQE9uC3MHZWg9mCTffwRAgl4AJwPNKA0sb29K5VdNH1tkjtNeN262gCdEHIT goT0xSBgTN0XxdUVPXyXAyQ=3D3D3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D3DSRdE -----END PGP SIGNATURE----- --4zI0WCX1RcnW9Hbu-- -- __--__-- =3D3D3D3D3D3D3D20 Message: 6 Subject: RE: [Snort-users] Portscan 2 question From: Joe Giles <jgiles@joeman1=3D3D2Ecom> To: "Hicks, John" <JHicks@JUSTICE=3D3D2EGC=3D3D2ECA> Cc: Snort-List <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Date: 24 Oct 2002 11:54:41 -0600 Wheew=3D3D2E=3D3D2E=3D3D2E I though I was hacked or something=3D3D2E I = thought =3D some one was using my server as a proxy to scan other networks :-P I'm not sure how to alleviate this problem, but maybe the Snort guru's can figure it out :) Thanks Joe On Thu, 2002-10-24 at 11:46, Hicks, John wrote:
I'm noticing the same thing after instaling 1=3D3D2E9 on a Web Server=3D3=
D2E =3D It =3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D3D seems to
detect my $HOME_NET address replying to multiple web requests on various ephemeral ports as a portscan=3D3D2E any thoughts on how to control =
this? =3D I =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D tried
the ignorehosts to no avail :( =3D3D3D3D3D3D3D3D20 John =3D3D3D3D3D3D3D3D20 -----Original Message----- From: Joe Giles [mailto:jgiles@joeman1=3D3D2Ecom] Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question =3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 I have a weird problem with 2 entries in my ACID database=3D3D2E =
Apparently=3D ,
my server did a port scan on a remote machine=3D3D2E The problem is that =
=3D no
one here initiated a port scan=3D3D2E The database lists my server IP as =
=3D the
source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3D2=
E =3D Does the
new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network=3D=
3D=3D 2E
=3D3D3D3D3D3D3D3D20 Thanks =3D3D3D3D3D3D3D3D20 Joe =3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D3=
D3D3=3D D20
of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003=
en
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D=
3D3D3D3D=3D snort-users -- __--__-- =3D3D3D3D3D3D3D20 Message: 7 From: Soren Macbeth <smacbeth@atc-nycorp=3D3D2Ecom> To: Snort-List <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Subject: RE: [Snort-users] Portscan 2 question Date: Thu, 24 Oct 2002 14:02:40 -0400 Looks at the ports that portscan2 reported=3D3D2E Sometime clients = browsing websites cause portscan2 to trigger based on the fact that some browsers initiate a new connection (and thus, new port) for each image=3D3D2E If = you haven't change the config, there should be a scan=3D3D2Elog file in your = =3D snort =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D log directory which will have more info=3D3D2E //soren=3D3D3D3D3D3D3D3D20 -----Original Message----- From: Joe Giles [mailto:jgiles@joeman1=3D3D2Ecom]=3D3D3D3D3D3D3D3D20 Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question I have a weird problem with 2 entries in my ACID database=3D3D2E Apparently= , my server did a port scan on a remote machine=3D3D2E The problem is that = no one here initiated a port scan=3D3D2E The database lists my server IP as = the source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3D2E = =3D Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network=3D3D= 2E=3D Thanks Joe ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D3D3= D3D2=3D 0 of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003en= _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D3D= 3D3D3Dsn=3D ort-users -- __--__-- =3D3D3D3D3D3D3D20 Message: 8 Subject: Re: [Snort-users] Portscan 2 question From: Joe Giles <jgiles@joeman1=3D3D2Ecom> To: Robby Desmond <rdesmond@els=3D3D2Eucsb=3D3D2Eedu> Cc: Snort-List <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Date: 24 Oct 2002 12:12:44 -0600 Well, I'm not RUNNING a DNS server, but I use one=3D3D2E My ISP's = DNS=3D3D2E=3D3D=3D 2E=3D3D2E Should I add that to the list?=3D3D3D3D3D3D3D3D20 Also, I don't seem to have the 'lasts' command=3D3D2E What package is that part of? Thanks for the reply Joe On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
At 11:22 AM 10/24/02 -0600, you wrote:I have a weird problem with 2 entries in my ACID database=3D3D2E =3D
Apparently,
my server did a port scan on a remote machine=3D3D2E The problem is =
that =3D no
one here initiated a port scan=3D3D2E The database lists my server IP =
as =3D the
source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3D=
2E =3D Does the
new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their =3D
network=3D3D2E
Thanks Joe=3D3D3D3D3D3D3D3D20 Are you, by chance, running DNS? =3D3D3D3D3D3D3D3D20 You should add your DNS servers to the list of portscan2-ignorehosts,=3D3=
D3=3D D3D3=3D3D3D D3=3D3D3D3D D3=3D3D3D3D3D D3=3D3D3D3D3D3D D2=3D3D3D3D3D3D3D 0
otherwise you will get this sort of activity=3D3D2E =3D3D3D3D3D3D3D3D20 If you are not running DNS, then check the "lasts" command to see who =
=3D =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D has=3D3D3D3D3D3D3D3D20
been on your system=3D3D2E (Or who has been appearing as someone on your =
=3D =3D3D3D3D3D =3D3D3D3D3D3D3D3D system=3D3D2E)
=3D3D3D3D3D3D3D3D20 -Robby =3D3D3D3D3D3D3D3D20 Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906
-- __--__-- =3D3D3D3D3D3D3D20 Message: 9 Subject: Re: [Snort-users] Portscan 2 question From: Joe Giles <jgiles@joeman1=3D3D2Ecom> To: Robby Desmond <rdesmond@els=3D3D2Eucsb=3D3D2Eedu> Cc: Snort-List <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Date: 24 Oct 2002 12:15:54 -0600 I also checked the history files of the 5 users I do have and nothing in there indicates that nmap or nessus or any other scanner was ran=3D3D2E = And there was no sudo or su command initiated=3D3D2E=3D3D3D3D3D3D3D3D20 Thanks Joe On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
At 11:22 AM 10/24/02 -0600, you wrote:I have a weird problem with 2 entries in my ACID database=3D3D2E =3D
Apparently,
my server did a port scan on a remote machine=3D3D2E The problem is =
that =3D no
one here initiated a port scan=3D3D2E The database lists my server IP =
as =3D the
source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3D=
2E =3D Does the
new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their =3D
network=3D3D2E
Thanks Joe=3D3D3D3D3D3D3D3D20 Are you, by chance, running DNS? =3D3D3D3D3D3D3D3D20 You should add your DNS servers to the list of portscan2-ignorehosts,=3D3=
D3=3D D3D3=3D3D3D D3=3D3D3D3D D3=3D3D3D3D3D D3=3D3D3D3D3D3D D2=3D3D3D3D3D3D3D 0
otherwise you will get this sort of activity=3D3D2E =3D3D3D3D3D3D3D3D20 If you are not running DNS, then check the "lasts" command to see who =
=3D =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D has=3D3D3D3D3D3D3D3D20
been on your system=3D3D2E (Or who has been appearing as someone on your =
=3D =3D3D3D3D3D =3D3D3D3D3D3D3D3D system=3D3D2E)
=3D3D3D3D3D3D3D3D20 -Robby =3D3D3D3D3D3D3D3D20 Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906
-- __--__-- =3D3D3D3D3D3D3D20 Message: 10 Subject: Re: [Snort-users] Portscan 2 question From: Joe Giles <jgiles@joeman1=3D3D2Ecom> To: Robby Desmond <rdesmond@els=3D3D2Eucsb=3D3D2Eedu> Cc: Snort-List <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Date: 24 Oct 2002 12:21:58 -0600 Hay, that is a neat command :)=3D3D2E=3D3D3D3D3D3D3D3D20 Well, according to last, no one logged on but me during the time of the "Issue"=3D3D2E=3D3D3D3D3D3D3D3D20 Thanks=3D3D2E I will add my ISP's DNS to the list and see if that = helps=3D3D2E =3D This is the first time I have seen this message in ACID since I upgraded to the new snort=3D3D2E That was better than a week ago=3D3D2E Thanks Joe On Thu, 2002-10-24 at 12:16, Robby Desmond wrote:
At 12:12 PM 10/24/02 -0600, you wrote:Well, I'm not RUNNING a DNS server, but I use one=3D3D2E My ISP's =3D
DNS=3D3D2E=3D3D2E=3D3D2E
Should I add that to the list?=3D3D3D3D3D3D3D3D20 Yes=3D3D2E That will reduce your portscan alerts, but doesn't solve the =
=3D =3D3D3D3D3D =3D3D3D3D3D3D3D3D problem=3D3D3D3D3D3D3D3D20
of your host causing portscan alerts=3D3D2E =3D3D3D3D3D3D3D3D20Also, I don't seem to have the 'lasts' command=3D3D2E What package is =
=3D that
part of?=3D3D3D3D3D3D3D3D20 Oops=3D3D2E Make that singular "last"=3D3D2E It is a standard UNIX =3D
tool=3D3D2E
=3D3D3D3D3D3D3D3D20Thanks for the reply Joe=3D3D3D3D3D3D3D3D20 No prob=3D3D2E =3D3D3D3D3D3D3D3D20 You might also want to check to see if any of the services you run =3D
=3D3D3D3D3D =3D3D3D3D3D3D3D3D from=3D3D3D3D3D3D3D3D20
your server periodically scan hosts for some reason=3D3D2E =3D3D3D3D3D3D3D3D20 HTH, -Robby =3D3D3D3D3D3D3D3D20 Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906
-- __--__-- =3D3D3D3D3D3D3D20 Message: 11 Subject: RE: [Snort-users] Portscan 2 question From: Joe Giles <jgiles@joeman1=3D3D2Ecom> To: Soren Macbeth <smacbeth@atc-nycorp=3D3D2Ecom> Cc: Snort-List <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Date: 24 Oct 2002 12:26:18 -0600 Here is what I found in that scan=3D3D2Elog file for the 2 dest IP's=3D3D2E= =3D3D2=3D E=3D3D2E=3D3D3D3D3D3=3D3D D3D3=3D3D3D D2=3D3D3D3D 0 Instance 1> 10/17-14:29:25=3D3D2E712618 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525 10/18-12:05:07=3D3D2E946026 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 1641 dport: 27160 tgts: 9 ports: 130 event_id: 400 10/18-13:22:24=3D3D2E504843 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 2804 dport: 27160 tgts: 8 ports: 121 event_id: 433 10/18-13:33:27=3D3D2E113376 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 3782 dport: 27160 tgts: 9 ports: 139 event_id: 450 10/18-13:36:00=3D3D2E675879 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 4825 dport: 27160 tgts: 10 ports: 158 event_id: 458 10/18-14:52:00=3D3D2E545930 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021 10/18-19:04:12=3D3D2E292185 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161 10/19-12:38:43=3D3D2E719170 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417 10/19-19:16:04=3D3D2E828533 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585 10/19-19:41:53=3D3D2E321697 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600 10/19-21:13:32=3D3D2E829862 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639 10/22-14:51:35=3D3D2E899289 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 33952 dport: 27160 tgts: 3 ports: 21 event_id: 0 Instance 2> 10/23-11:17:52=3D3D2E681476 TCP src: <INTERNALIP> dst: 206=3D3D2E65=3D3D2E= 183=3D3D=3D 2E110 sport: 1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0 What do you think? Thanks Joe On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
Looks at the ports that portscan2 reported=3D3D2E Sometime clients =3D
browsing
websites cause portscan2 to trigger based on the fact that some browsers initiate a new connection (and thus, new port) for each image=3D3D2E If =
=3D you
haven't change the config, there should be a scan=3D3D2Elog file in your =
=3D snort =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D =3D3D3D3D3D3D3D3D log
directory which will have more info=3D3D2E =3D3D3D3D3D3D3D3D20 //soren=3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 -----Original Message----- From: Joe Giles [mailto:jgiles@joeman1=3D3D2Ecom]=3D3D3D3D3D3D3D3D20 Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question =3D3D3D3D3D3D3D3D20 I have a weird problem with 2 entries in my ACID database=3D3D2E =
Apparently=3D ,
my server did a port scan on a remote machine=3D3D2E The problem is that =
=3D no
one here initiated a port scan=3D3D2E The database lists my server IP as =
=3D the
source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3D2=
E =3D Does the
new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network=3D=
3D=3D 2E
=3D3D3D3D3D3D3D3D20 Thanks =3D3D3D3D3D3D3D3D20 Joe =3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D3=
D3D3=3D D20
of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003=
en
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D=
3D3D3D3D=3D snort-users
=3D3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D3=
D3D3=3D D20
of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003=
en
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D=
3D3D3D3D=3D snort-users -- __--__-- =3D3D3D3D3D3D3D20 _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users End of Snort-users Digest -- __--__-- =3D3D3D3D3D3D20 Message: 2 From: Soren Macbeth <smacbeth@atc-nycorp=3D3D2Ecom> To: 'Joe Giles' <jgiles@joeman1=3D3D2Ecom>, Soren Macbeth <smacbeth@atc-nycorp=3D3D2Ecom> Cc: Snort-List <snort-users@lists=3D3D2Esourceforge=3D3D2Enet> Subject: RE: [Snort-users] Portscan 2 question Date: Thu, 24 Oct 2002 14:32:59 -0400 I'm not sure about the udp dport 27160 stuff=3D3D2E Are you running some application on that port? Its all traffic to on particular host=3D3D2E You = =3D may want to check into that=3D3D2E The second one is definitely benign web browsing=3D3D2E //soren -----Original Message----- From: Joe Giles [mailto:jgiles@joeman1=3D3D2Ecom]=3D3D3D3D3D3D3D20 Sent: Thursday, October 24, 2002 2:26 PM To: Soren Macbeth Cc: Snort-List Subject: RE: [Snort-users] Portscan 2 question Here is what I found in that scan=3D3D2Elog file for the 2 dest IP's=3D3D2E= =3D3D2=3D E=3D3D2E=3D3D3D3D3D3=3D3D D3D2=3D3D3D 0 Instance 1> 10/17-14:29:25=3D3D2E712618 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525 10/18-12:05:07=3D3D2E946026 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 1641 dport: 27160 tgts: 9 ports: 130 event_id: 400 10/18-13:22:24=3D3D2E504843 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 2804 dport: 27160 tgts: 8 ports: 121 event_id: 433 10/18-13:33:27=3D3D2E113376 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 3782 dport: 27160 tgts: 9 ports: 139 event_id: 450 10/18-13:36:00=3D3D2E675879 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 4825 dport: 27160 tgts: 10 ports: 158 event_id: 458 10/18-14:52:00=3D3D2E545930 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021 10/18-19:04:12=3D3D2E292185 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161 10/19-12:38:43=3D3D2E719170 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417 10/19-19:16:04=3D3D2E828533 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585 10/19-19:41:53=3D3D2E321697 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600 10/19-21:13:32=3D3D2E829862 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639 10/22-14:51:35=3D3D2E899289 UDP src: <INTERNALIP> dst: 207=3D3D2E19=3D3D2E= 97=3D3D2=3D E119 sport: 33952 dport: 27160 tgts: 3 ports: 21 event_id: 0 Instance 2> 10/23-11:17:52=3D3D2E681476 TCP src: <INTERNALIP> dst: 206=3D3D2E65=3D3D2E= 183=3D3D=3D 2E110 sport: 1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0 What do you think? Thanks Joe On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
Looks at the ports that portscan2 reported=3D3D2E Sometime clients =3D
browsing
websites cause portscan2 to trigger based on the fact that some browsers initiate a new connection (and thus, new port) for each image=3D3D2E If =
=3D you
haven't change the config, there should be a scan=3D3D2Elog file in your =
=3D snort log
directory which will have more info=3D3D2E =3D3D3D3D3D3D3D20 //soren=3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 -----Original Message----- From: Joe Giles [mailto:jgiles@joeman1=3D3D2Ecom]=3D3D3D3D3D3D3D20 Sent: Thursday, October 24, 2002 1:23 PM To: Snort-List Subject: [Snort-users] Portscan 2 question =3D3D3D3D3D3D3D20 I have a weird problem with 2 entries in my ACID database=3D3D2E =
Apparently=3D ,
my server did a port scan on a remote machine=3D3D2E The problem is that =
=3D no
one here initiated a port scan=3D3D2E The database lists my server IP as =
=3D the
source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3D2=
E =3D Does the
new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network=3D=
3D=3D 2E
=3D3D3D3D3D3D3D20 Thanks =3D3D3D3D3D3D3D20 Joe =3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D3=
D3D2=3D 0
of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003=
en
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D=
3D3D3Dsn=3D ort-users
=3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D3=
D3D2=3D 0
of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003=
en
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D=
3D3D3Dsn=3D ort-users -- __--__-- =3D3D3D3D3D3D20 Message: 3 Date: Thu, 24 Oct 2002 11:58:01 -0700 From: Gary Verhulp <garyv@cips=3D3D2Enokia=3D3D2Ecom> Reply-To: gary=3D3D2Everhulp@nokia=3D3D2Ecom To: Joe Giles <jgiles@joeman1=3D3D2Ecom>, snort-users@lists=3D3D2Esourcefor= ge=3D =3D3D2Enet Subject: Re: [Snort-users] Portscan 2 question on most unix that I'm familiar with,it's "last" not "lasts" what OS are you on? what's the ports used in the scan? can you post a section of the alert? Gary Joe Giles wrote:
Well, I'm not RUNNING a DNS server, but I use one=3D3D2E My ISP's =3D
DNS=3D3D2E=3D3D2E=3D3D2E
Should I add that to the list?=3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 Also, I don't seem to have the 'lasts' command=3D3D2E What package is =
that
part of? =3D3D3D3D3D3D3D20 Thanks for the reply =3D3D3D3D3D3D3D20 Joe =3D3D3D3D3D3D3D20 On Thu, 2002-10-24 at 12:03, Robby Desmond wrote: =3D3D3D3D3D3D3D20At 11:22 AM 10/24/02 -0600, you wrote:I have a weird problem with 2 entries in my ACID database=3D3D2E =3D
Apparently,
my server did a port scan on a remote machine=3D3D2E The problem is =
that =3D no
one here initiated a port scan=3D3D2E The database lists my server IP =
as =3D the
source and lists a dest IP=3D3D2E This is listed as a spp_portscan2=3D3D=
2E =3D Does the
new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their =3D
network=3D3D2E
Thanks JoeAre you, by chance, running DNS? You should add your DNS servers to the list of portscan2-ignorehosts,=3D3=
D3=3D D3D3=3D3D3D D3=3D3D3D3D D3=3D3D3D3D3D D2=3D3D3D3D3D3D 0
otherwise you will get this sort of activity=3D3D2E If you are not running DNS, then check the "lasts" command to see who =
=3D =3D3D3D =3D3D3D3D =3D3D3D3D3D =3D3D3D3D3D3D =3D3D3D3D3D3D3D has=3D3D3D3D3D3D3D20
been on your system=3D3D2E (Or who has been appearing as someone on your =
=3D =3D3D3D3D =3D3D3D3D3D3D3D system=3D3D2E)
-Robby Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906=3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20 ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future=3D3D3D3D3D3=
D3D2=3D 0
of Java(TM) technology=3D3D2E Join the Java Community=3D3D3D3D3D3D3D20 Process(SM) (JCP(SM)) program now=3D3D2E=3D3D3D3D3D3D3D20 http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003=
en
_______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?list=3D3D3D3D3D=
3D3D3Dsn=3D ort-users
=3D3D3D3D3D3D3D20 =3D3D3D3D3D3D3D20
-- __--__-- =3D3D3D3D3D3D20 _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users End of Snort-users Digest -- __--__-- =3D3D3D3D3D20 _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users End of Snort-users Digest -- __--__-- =3D3D3D3D20 _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users End of Snort-users Digest -- __--__-- =3D3D3D20 _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users End of Snort-users Digest -- __--__-- _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users End of Snort-users Digest -- __--__-- =3D20 _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf=3D3D2Enet email is sponsored by: Influence the future of = Java(TM)=3D3D2=3D 0=3D3D technology=3D3D2E Join the Java Community Process(SM) (JCP(SM)) program = =3D now=3D3D2E=3D3D20=3D3D http://ads=3D3D2Esourceforge=3D3D2Enet/cgi-bin/redirect=3D3D2Epl?sunm0003en= _______________________________________________ Snort-users mailing list Snort-users@lists=3D3D2Esourceforge=3D3D2Enet Go to this URL to change user options or unsubscribe: https://lists=3D3D2Esourceforge=3D3D2Enet/lists/listinfo/snort-users Snort-users list archive: http://www=3D3D2Egeocrawler=3D3D2Ecom/redir-sf=3D3D2Ephp3?listnsnort-users -- __--__-- =20 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest -- __--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #2420 - 2 msgs Mike Cole (Oct 24)