[Snort-users] Bothersome portscans and some conjecture

Gene R. Gomez ggomez at ...677...
Mon Nov 20 11:15:18 EST 2000


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey folks,
I've attached below the results of one portscan.log session.  To
provide some information about the below to get everyone on the same
page:
1:	20 and 40 are two IP addresses for the same mail server, answering
for two different domains.
2:	78 is my IDS
3:	80 is a packet filter/firewall/RAS server, behind which 20 and 30
are protected.
4:	I get these types of scans every few days; they NEVER scan the
entire subnet; they're always targetted as the below.
Anyway, this scan is typical.  For those who don't know, the below
scan is most likely for the Sub7 trojan.  It really doesn't bother me
because it's an incredibly lame attempt.  What DOES bother me:
78 (my Snort box) is running IPchains with a rule set specifying to
outright DENY (not REJECT) all SYNs and ICMP requests.  This should
mean that the Snort box is in full stealth mode, with the exception
of ARP requests (which I'm not really sure how to get rid of yet). 
The only time this IP is used is once an hour when my Snort box
attempts to connect to www.whitehats.com and download a newer version
of vision.rules.  At one point, I changed this IP from 79 to 78.  The
scans adjusted appropriately.  The scans also never come from the
same host.  Based on this, I suspect the following:
1:	My traffic is being sniffed somewhere upstream (otherwise, how
else would they get my IDS IP address?).
2:	I'm dealing with either an individual or group of individuals
sharing information who is/are either spoofing or has/have access to
quite a few compromised hosts.
If it helps anything, my IPchains rulesets are set up like so:

ipchains -P input DENY
ipchains -A input -p tcp ! -y -j ACCEPT
ipchains -A input -p icmp -d x.y.z.78 3 -j ACCEPT
ipchains -A input -p udp -j ACCEPT

I should probably be more selective on that UDP rule; I only set it
up so that DNS queries would work.  Actually, I might as well change
it now...I need to add an option like -d x.y.z.78 53, right?
Anyway, on my suspicions above, do they sound right?  Here are the
scan logs (for one event...they're all so painfully similar that I
won't bother posting them all):

Nov 16 15:12:19 4.4.113.119:3984 -> x.y.z.20:27374 SYN ******S* 
Nov 16 15:12:20 4.4.113.119:4004 -> x.y.z.40:27374 SYN ******S* 
Nov 16 15:12:18 4.4.113.119:4042 -> x.y.z.78:27374 SYN ******S* 
Nov 16 15:12:18 4.4.113.119:4044 -> x.y.z.80:27374 SYN ******S* 

Thanks!
- -Gene

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOhlOFiMV0otagQpeEQKahwCg44rb7EJZFMnjxZhRbGhTYQuNsL8AoPkh
jTjzAmbALoRM1iOFw7YJZf2e
=9Rh0
-----END PGP SIGNATURE-----



More information about the Snort-users mailing list