[Snort-users] Anyone Else seen this weird traffic from aol?

Thayne thayne_a at ...125...
Fri Aug 11 16:20:55 EDT 2000


Greetings,

Ever since we've been running snort, we are constantly getting weird stealth
packets from aol that are picked up by the spp_portscan plugin.  The
following is an excerpt from one instance:

Alert log:
[**] spp_portscan: PORTSCAN DETECTED from 205.188.x.x (STEALTH) [**]
[**] spp_portscan: portscan status from 205.188.x.x: 3 connections across 1
hosts: TCP(3) UDP(0) STEALTH [**]
[**] spp_portscan: End of portscan from 205.188.x.x: TOTAL time(2s) hosts(1)
TCP(3) UDP(0) STEALTH [**]

Portscan.log:
Aug  9 10:10:18 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
RESERVEDBITS
Aug  9 10:10:18 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
RESERVEDBITS
Aug  9 10:10:20 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
RESERVEDBITS

They come from different AOL IP's and go to many different IP's on our net.
We've tried to talk to AOL about it, but they just say it's normal traffic.
Yeah right.

Wcan't seem to get the spp_portscan plugin to ignore it, as the packets are
stealth.  Anyone else see this sort of traffic?  Any ideas on how to keep it
from being logged?

TIA,
Thayne




More information about the Snort-users mailing list