Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Portsweep and ICMP Sweep Alerts

From: Omar Osta <o.osta1978 () gmail com>
Date: Fri, 27 Mar 2015 08:54:10 -0400
Hi,

I have been testing and tuning Snort before putting it into production. Two
days ago I put my workstation on the switch for testing and fine tuning.
Yesterday morning I noticed TCP Portsweep event logs coming from my
workstation to the internet. I downloaded the payload and opened it into
notepad and it looks like Open Port: 80 or Open Port: 443.  There is no
pcap to download. I ran wireshark to see if it could detect it, but it
could not.

My sfportscan preprocessor is setup like this: preprocessor sfportscan:
proto  { all } memcap { 10000000 } sense_level { low } scan_type { all  }
logfile { /etc/snort/portscan.log }

Yesterday I have detected 413 port Sweeps and one ICMP sweep. Most sweeps
were to external ip addresses and but some were inside my network. That is
when I really got concerned.

This morning I had another ICMP sweep from my computer to a server on a
different subnet that I had opened a webpage to. The really weird thing
about this is the payload said the scanned range was on the subnet my
workstation was on. Not the destination IP address of the ICMP sweep alert.

Payload is this:

Priority Count:
5Connection Count: 13
IP Count: 13
Scanned IP Range: (sanitized)
Port/Proto Count: 0
Port/Proto Range: 0:0

 Is my computer compromised or is there a chance these are false positives?
I can't find any software on my computer that isn't supposed to be there.
Yes I have nmap, but I wasn't doing those scans. My anti virus and maleware
bytes says my computer is clean.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: