[Snort-users] Anyone Else seen this weird traffic from aol?

Bill Pennington billp at ...60...
Fri Aug 11 18:47:15 EDT 2000


I have not noticed anything like that coming from AOL and a high
percentage of our users come from AOL. Are the IPs on your sides clients
or servers? It looks like web traffic since the source port is 80 but
without a packet dump it is hard to tell.

I do know AOL runs lots of weird stuff with there mega proxies and
whatnot.

Thayne wrote:
> 
> Greetings,
> 
> Ever since we've been running snort, we are constantly getting weird stealth
> packets from aol that are picked up by the spp_portscan plugin.  The
> following is an excerpt from one instance:
> 
> Alert log:
> [**] spp_portscan: PORTSCAN DETECTED from 205.188.x.x (STEALTH) [**]
> [**] spp_portscan: portscan status from 205.188.x.x: 3 connections across 1
> hosts: TCP(3) UDP(0) STEALTH [**]
> [**] spp_portscan: End of portscan from 205.188.x.x: TOTAL time(2s) hosts(1)
> TCP(3) UDP(0) STEALTH [**]
> 
> Portscan.log:
> Aug  9 10:10:18 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
> RESERVEDBITS
> Aug  9 10:10:18 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
> RESERVEDBITS
> Aug  9 10:10:20 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
> RESERVEDBITS
> 
> They come from different AOL IP's and go to many different IP's on our net.
> We've tried to talk to AOL about it, but they just say it's normal traffic.
> Yeah right.
> 
> Wcan't seem to get the spp_portscan plugin to ignore it, as the packets are
> stealth.  Anyone else see this sort of traffic?  Any ideas on how to keep it
> from being logged?
> 
> TIA,
> Thayne
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com




More information about the Snort-users mailing list