[Snort-sigs] Tracking High Port Scans and Attacks - Port 63285

Robert Wagner rwagner at ...447...
Tue Apr 23 08:12:36 EDT 2002


Typically, ports above 1024 are not monitored well.  I decided to start
tracking some of these and see if we are missing some signatures.  I created
a set of rules like:


alert tcp [!mypublicnetwork/24] 1023: -> [!myfirewall/32] 1023: (msg:"LOCAL
Misc high port scan";tag: session,300,packets;)
alert udp [!mypublicnetwork/24] 1023: -> [!myfirewall/32] 1023: (msg:"LOCAL
Misc high port scan";tag: session,300,packets;)

This tracks stuff coming into the network from the outside, not destined to
my firewall (firewalls typically use high ports for outbound connections).
I am working on several signatures from information found during this
monitoring.

I found some traffic from 63285 that I cannot identify:

Apr 23 06:40:12 xserver02 snort[15927]: [1:0:0] LOCAL Misc high port scan
{TCP} 210.99.212.7:63285 -> myserver:50835
Apr 23 06:48:35 xserver02 snort[15927]: [1:0:0] LOCAL Misc high port scan
{TCP} 210.99.212.7:63285 -> myserver:21907

-rw-------    1 root     root          575 Apr 23 06:48 TCP:63285-21907
-rw-------    1 root     root          575 Apr 22 23:47 TCP:63285-26515
-rw-------    1 root     root          575 Apr 23 06:40 TCP:63285-50835
----------------------------------------------------------------> the traces
all appear to be the same size and information
[**] LOCAL Misc high port scan [**]
04/22-23:47:41.287490 210.99.212.7:63285 -> myserver:26515
TCP TTL:236 TOS:0x0 ID:47289 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x5420CACE  Win: 0x0  TcpLen: 20
0x0000: 00 xx xx xx xx xx xx xx xx xx xx xx xx 00 45 00  ....:1..c.....E.
0x0010: 00 28 B8 B9 00 00 EC 06 FF D3 D2 63 D4 07 xx xx  .(.........c...,
0x0020: xx xx F7 35 67 93 00 00 00 00 54 20 CA CE 50 14  ...5g.....T ..P.
0x0030: 00 00 1B D6 00 00 00 00 00 00 00 00              ............

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+





More information about the Snort-sigs mailing list