[Snort-users] Scan Proxy

Togan Muftuoglu toganm at ...603...
Tue Apr 24 02:13:36 EDT 2001


Hi I am currently using snort 1-8 beta3 I have adsl connection with rp-pppoe so I have the ppp0 interface monitored

I have been getting lots of SCAN Proxy Attempts lately to ports 1080 8080 and 3128. I do not have these services on my firewall anyway. Hoewever I was not getting anything like this before when Iwas using 1.7 that came with suse

First of all are these false positives and secondly where can I get more informatin about classification.config documentation

And finally to my understanding snort 1.8 is not compatible with aris extractor since extractor does not upload these new messages or am I doing it wrong.

my snort.conf is not changed much except I use the syslog facilities. and it runs in daemon mode

TIA
-- 
Togan Muftuoglu

Apr 23 23:18:52 gardiyan snort: MISC Large ICMP Packet [Classification: Potentially Bad Traffic   Priority: 2]: 212.156.199.79 -> 170.54.59.138
Apr 24 00:28:51 gardiyan pppoe[31498]: Bad TCP checksum 254b
Apr 24 00:28:51 gardiyan snort: spp_portscan: PORTSCAN DETECTED from 66.38.151.10 (STEALTH)
Apr 24 00:28:51 gardiyan snort: spp_portscan: End of portscan from 169.207.3.69: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Apr 24 00:28:51 gardiyan snort: spp_portscan: portscan status from 168.144.1.11: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Apr 24 03:39:50 gardiyan snort: SCAN Proxy attempt [Classification: Attempted Information Leak   Priority: 3]: 211.0.3.114:4390 -> 212.156.199.79:1080
Apr 24 03:39:54 gardiyan last message repeated 3 times
Apr 24 03:40:01 gardiyan snort: SCAN Proxy attempt [Classification: Attempted Information Leak   Priority: 3]: 211.0.3.114:4429 -> 212.156.199.79:1080
Apr 24 03:40:05 gardiyan last message repeated 3 times
Apr 24 04:36:42 gardiyan snort: SCAN Proxy attempt [Classification: Attempted Information Leak   Priority: 3]: 24.30.250.22:3143 -> 212.156.199.79:8080








More information about the Snort-users mailing list