[Snort-sigs] Portscan reporting

Bamm Visscher rvissche at ...1206...
Mon Feb 17 10:58:46 EST 2003


Forwarded for the benefit of everyone else. Dang those sf lists, I
always forget to change the To: after doing a reply.

Bammkkkk

On Mon, 2003-02-17 at 11:26, Antony J. Shepherd wrote:
> Actually, that could be it. That hadn't occurred to me before. Thanks.
> Antony.
> 
> > -----Original Message-----
> > From: Bamm Visscher [mailto:rvissche at ...1206...]
> > Sent: 17 February 2003 16:56
> > To: antony.s at ...1308...
> > Subject: Re: [Snort-sigs] Portscan reporting
> > 
> > 
> > I would bet he was trying to do an "active" ftp transfer from behind a
> > firewall. In active ftp, the ftp server initiates the data 
> > transfer from
> > port 20 to a high (>1024) port on the client. The problem is, when the
> > ftp server tried to connect to the client (your colleague's 
> > system) the
> > FW blocked the connection. In response the a new PORT was negotiated,
> > again and again and again. The portscan preproc is going to 
> > detect this
> > as a portscan. The only way you could make snort engine "smart" enough
> > to not trigger on this acty is for it to decode ftp command 
> > sessions and
> > then correlate them to ftp-data transfer attempts. If you have traffic
> > captures for the command session (port 21), you'll see what happened. 
> > 
> > Bammkkkk
> > 
> > On Mon, 2003-02-17 at 03:29, Antony J. Shepherd wrote:
> > > We had this portscan report that went on for hours. When I 
> > checked the
> > > portscan.log file, it seemed that the access was 
> > originating on port 20
> > > (FTP_Data) at the far end, and chugging through every 
> > single port from
> > 1024
> > > onwards on our end. This turned out to be due to a 
> > colleague sending a
> > large
> > > file by FTP to a client, and it was the client's IP address that was
> > showing
> > > up.
> > > 
> > > Any ideas why an FTP upload should get picked up as a 
> > portscan by Snort?
> > > 
> > > Yours,
> > > Antony J. Shepherd.
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Snort-sigs mailing list
> > > Snort-sigs at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- 
Bamm (Robert) Visscher
Network Security Engineer
Ball Corp.
http://www.ball.com
rvissche at ...1206... 
210.240.5950 




More information about the Snort-sigs mailing list