Snort mailing list archives
Portsweep and ICMP Sweep Alerts
From: Omar Osta <o.osta1978 () gmail com>
Date: Fri, 27 Mar 2015 08:54:10 -0400
Hi, I have been testing and tuning Snort before putting it into production. Two days ago I put my workstation on the switch for testing and fine tuning. Yesterday morning I noticed TCP Portsweep event logs coming from my workstation to the internet. I downloaded the payload and opened it into notepad and it looks like Open Port: 80 or Open Port: 443. There is no pcap to download. I ran wireshark to see if it could detect it, but it could not. My sfportscan preprocessor is setup like this: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } scan_type { all } logfile { /etc/snort/portscan.log } Yesterday I have detected 413 port Sweeps and one ICMP sweep. Most sweeps were to external ip addresses and but some were inside my network. That is when I really got concerned. This morning I had another ICMP sweep from my computer to a server on a different subnet that I had opened a webpage to. The really weird thing about this is the payload said the scanned range was on the subnet my workstation was on. Not the destination IP address of the ICMP sweep alert. Payload is this: Priority Count: 5Connection Count: 13 IP Count: 13 Scanned IP Range: (sanitized) Port/Proto Count: 0 Port/Proto Range: 0:0 Is my computer compromised or is there a chance these are false positives? I can't find any software on my computer that isn't supposed to be there. Yes I have nmap, but I wasn't doing those scans. My anti virus and maleware bytes says my computer is clean.
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Portsweep and ICMP Sweep Alerts Omar Osta (Mar 27)