Snort mailing list archives
SNORT3 - (port_scan) TCP portsweep
From: Christian Leclerc <christian.leclerc () sphere3solutions com>
Date: Mon, 8 Jul 2019 16:09:39 -0400
Hello group, I have a LOT of this (port_scan) TCP portsweep alert in my logs which are looking a lots like false positive. 172.217.10.78:443 -> xx.37.xx.58:58622 (port_scan) TCP portsweep xx.37.xx.58:53827 -> 157.240.14.10:443 (port_scan) TCP portsweep xx.37.xx.57:30552 -> 185.176.27.242:49361 (port_scan) TCP portsweep xx.37.xx.58:61077 -> 54.152.8.15:443 (port_scan) TCP portsweep 23.52.164.32:443 -> xx.37.xx.58:61034 (port_scan) TCP portsweep xx.37.xx.58:61039 -> 99.86.231.159:443 (port_scan) TCP portsweep I looked at the packet it self and the data is looking like this : snort.raw[72]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - %04.4X 000 17 10 8E 47 07 AC F1 DF 5F D1 28 08 00 45 00 ....71... .95.40..69. %04.4X 1600 14 29 9F 00 B9 3F 11 7A 53 18 25 6B 3A A3 B6 ..41...63. 12283.3710758.. %04.4X 32AF F2 1F 2F 15 EB 46 7A D6 9B EC 7A 2D F6 6E 73 ...47..70122 ...12245.110115 %04.4X 48B0 79 D9 94 0F 15 96 CC EE A4 AF 63 02 51 94 B4 .121...... ...99.81.. %04.4X 6429 DC 19 6B D3 60 6B CF 41..107.96107. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ======================================================================== snort.raw[60]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - %04.4X 0AC F1 DF 5F D1 28 00 17 10 8E 47 07 08 00 45 00 ...95.40.. ..71...69. %04.4X 1600 2C 2A 47 40 00 39 11 0B 4A C0 60 C8 70 18 25 .44427164.57. .74.96.112.37 %04.4X 326B 3A A5 1A E5 5C 00 18 3B 2D 7E 2A 9D 0C 40 D0 10758...92.. 594512642..64. %04.4X 4840 CA 3D 2D 48 2D 40 E4 CA D8 00 00 64.6145724564. .... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I am wondering is the scanning pre-processor is buggy or if it's me that is doing something wrong in my plugin ? Is anybody else has the same problem ? Any help would be interesting here because I don't want to get rid of this has it could be legitimate at some point in time. Cheers, Christian Leclerc, CSSLP, CEH, OCMJEA, OCPJBCD, SCJP, ZCE christian.leclerc () sphere3solutions com
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SNORT3 - (port_scan) TCP portsweep Christian Leclerc (Jul 08)
- Re: SNORT3 - (port_scan) TCP portsweep Al Lewis (allewi) via Snort-devel (Jul 08)