[Snort-users] every connection a portscan....??

Tye F. Hammerle thammer at ...445...
Thu Oct 5 20:53:55 EDT 2000


As Phil pointed out they're probably using the ECN feature in the
experimental linux kernel.  An additional item of interest is that if
you're running a PIX firewall and it's seeing this it will not
recognize it as a valid connection attempt and will deny it.  At least
this is true with version 5.0.3. There are a couple of sites with mail
servers out there using ECN and they can't deliver mail to us because
of it. I've let them know but they chose not to reply.

Tye

----- Original Message -----
From: "Jan Muenther" <jan at ...206...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, October 05, 2000 11:20 AM
Subject: [Snort-users] every connection a portscan....??


> I have this one host which make the portscan preprocessor go wild
> every time a TCP connection is established...
>
> I think it's the first packet send from the remote host with
> strange TCP flags being set... like this:
>
> [**] IDS029 - SCAN-Possible Queso Fingerprint attempt [**]
> 09/26-18:09:03.858555 149.221.232.4:1069 -> xx.xxx.x.xxx:25
> TCP TTL:49 TOS:0x0 ID:0  DF
> 21S***** Seq: 0x214F4222   Ack: 0x0   Win: 0x16D0
> TCP Options => MSS: 1460 SackOK TS: 60719014 0 NOP WS: 0
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> I know from my mail logs that this was probably nothing else than
> a mail being delivered, so it doesn't really prevent me from
> sleeping. Still, I'd like to know where these flags come from...
> or is something else triggering snort alerts and I'm too silly to
> see it??
>
> The strange flags could also trigger the fingerprint alert
> because - as we all know after readings Fyodor's Phrack paper
> ;o)) - the reaction towards these can be very telling.
>
> Hm. Anybody seen this and knows what causes it...?? I can
> reproduce it by manually making a TCP connection with every given
> protocol, so it's not smtp specific...
>
> TIA,
>
> Cheers, Jan
> --
> Radio HUNDERT,6 Medien GmbH Berlin
> - EDV -
> j.muenther at ...206...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list