Snort mailing list archives
RE: Snort Logs [HITCON VIRUS CHECK: OK]
From: "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner () baesystems com>
Date: Thu, 3 Jun 2004 08:00:38 -0400
That is pretty typical of a webserver. A client browser will open multiple connections to the server, purhaps to download many images concurrently. Snort will then see the server sending data back to multiple ports on the client. This can trigger the port scan mechanism. -----Original Message----- From: snort-users-admin () lists sourceforge net on behalf of Maik.Linnemann () hitcon de Sent: Thu 06/03/2004 06:37 AM To: snort-users () lists sourceforge net Cc: Subject: [Snort-users] Snort Logs [HITCON VIRUS CHECK: OK] Today i checked my logfiles and found real strange things in my IDS logs - i found this: Datum: 05/24 08:41:30 Name: (spp_portscan2) Portscan detected from 195.202.xx.xx: 1 targets 21 ports in 57 seconds Priorität: n/a Typ: n/a IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:60847 Referenz: nichts gefunden SID: n/a Datum: 05/24 09:10:04 Name: (spp_portscan2) Portscan detected from 195.202.xx.xx: 1 targets 21 ports in 2 seconds Priorität: n/a Typ: n/a IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:33149 Referenz: nichts gefunden SID: n/a Datum: 05/24 09:11:22 Name: (spp_portscan2) Portscan detected from 195.202.xx.xx: 1 targets 21 ports in 18 seconds Priorität: n/a Typ: n/a IP-Info: 195.202.xx.xx:80 -> 195.202.xx.xxx:33281 Referenz: nichts gefunden SID: n/a First of all: both of the adresses belong to me!!!!! The one out of port 80 is my mail server and a webserver is also running on that machine. the other one (targeted on 33281) is also mine on a second location.... they're connected via VPN......but as you see, they use the external ip adresses, so i guess it doesnt come from the inside of my nets... im really not so deep into snort, so if anyone could explain a little bit what it could be - that would be great!!!! what shall i do now? i havent done a port scan!???? What do you think? HITCON AG Maik Linnemann Gartenstrasse 208 48147 Münster 0251/2801-206 (Phone) 0251/2801-280 (Fax) 0170/6364123 (Mobil) Mail: info () hitcon de http://www.hitcon.de ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Logs [HITCON VIRUS CHECK: OK] Maik . Linnemann (Jun 03)
- <Possible follow-ups>
- RE: Snort Logs [HITCON VIRUS CHECK: OK] Miner, Jonathan W (CSC) (US SSA) (Jun 03)
- Re: Re: Snort Logs [HITCON VIRUS CHECK: OK] Maik . Linnemann (Jun 03)