[Snort-users] Help with a portscan(s)

Sean C Doherty seand at ...232...
Mon Jan 22 16:26:43 EST 2001


Hello,

I wonder if anyone can help me figure out what is happening with one
specific user who is using a ISP/dial up port to access our external web
servers.  The following portscan log generated by Snort 1.6.23-WIN32 is
typical of whenever the user is online.  (No other users (hundreds) who
access the web servers (daily) generate this type of portscan alert.)  As
the log shows, much of the traffic is to ports 80 and 443 which would be
legitimate web traffic, but 259 is used frequently.  ( I have also seen port
111 used in other portscan logs from this user.)  If other http/https users
were generating the same type of portscan alert I would have assumed it was
due mainly to http traffic, but this user is the only one generating the
alert!

Following is a portion of the portscan.log:

Jan 22 10:16:37 63.253.73.198:4219 -> x.x.x.1:443 SYN **S*****
Jan 22 10:16:37 63.253.73.198:32847 -> x.x.x.1:259 FIN ***F****
Jan 22 10:16:51 63.253.73.198:4220 -> x.x.x.1:443 SYN **S*****
Jan 22 10:16:51 63.253.73.198:5635 -> x.x.x.1:0 NOACK 2***RP*U RESERVEDBITS
Jan 22 10:17:27 63.253.73.198:4222 -> x.x.x.1:443 SYN **S*****
Jan 22 10:17:28 63.253.73.198:5635 -> x.x.x.1:0 NOACK ***FR***
Jan 22 10:18:14 63.253.73.198:4224 -> x.x.x.1:443 SYN **S*****
Jan 22 10:18:06 63.253.73.198:5635 -> x.x.x.1:0 INVALIDACK 2*SF**A*
RESERVEDBITS
Jan 22 10:31:08 63.253.73.196:4225 -> x.x.x.1:443 SYN **S*****
Jan 22 10:31:08 63.253.73.196:32847 -> x.x.x.1:259 FIN ***F****
Jan 22 10:31:24 63.253.73.196:4226 -> x.x.x.1:443 SYN **S*****
Jan 22 10:31:37 63.253.73.218:1282 -> x.x.x.2:80 SYN **S*****
Jan 22 10:31:37 63.253.73.218:18245 -> x.x.x.2:21536 NOACK 2**FRP*U
RESERVEDBITS
Jan 22 10:31:44 63.253.73.218:1283 -> x.x.x.2:443 SYN **S*****
Jan 22 10:31:45 63.253.73.218:5635 -> x.x.x.2:0 NOACK 21S*RP** RESERVEDBITS
Jan 22 10:32:55 63.253.73.218:1285 -> x.x.x.2:443 SYN **S*****
Jan 22 10:32:55 63.253.73.218:5635 -> x.x.x.2:0 INVALIDACK 21S*R*A*
RESERVEDBITS
Jan 22 10:33:26 63.253.73.196:4230 -> x.x.x.1:443 SYN **S*****
Jan 22 10:33:18 63.253.73.196:5635 -> x.x.x.1:0 NOACK 21SFR**U RESERVEDBITS
Jan 22 10:33:27 63.253.73.196:5635 -> x.x.x.1:0 INVALIDACK 2*SFR*AU
RESERVEDBITS
Jan 22 10:34:43 63.253.73.218:1290 -> x.x.x.2:443 SYN **S*****
Jan 22 10:34:43 63.253.73.218:5635 -> x.x.x.2:0 UNKNOWN 2*S***A*
RESERVEDBITS
Jan 22 10:34:49 63.253.73.196:4237 -> x.x.x.40:80 SYN **S*****
Jan 22 10:34:57 63.253.73.196:4240 -> x.x.x.1:80 SYN **S*****
Jan 22 10:34:57 63.253.73.196:18245 -> x.x.x.1:21536 NOACK **S*RP*U
Jan 22 10:34:59 63.253.73.196:4241 -> x.x.x.1:443 SYN **S*****
Jan 22 10:35:01 63.253.73.196:32847 -> x.x.x.1:259 FIN ***F****
Jan 22 10:35:06 63.253.73.218:1291 -> x.x.x.2:443 SYN **S*****
Jan 22 10:35:06 63.253.73.218:5635 -> x.x.x.2:0 INVALIDACK 21*FR*A*
RESERVEDBITS
Jan 22 10:35:09 63.253.73.196:4242 -> x.x.x.1:443 SYN **S*****
Jan 22 10:35:09 63.253.73.196:5635 -> x.x.x.1:0 UNKNOWN 2***R***
RESERVEDBITS
Jan 22 10:35:26 63.253.73.218:1292 -> x.x.x.2:443 SYN **S*****
Jan 22 10:35:26 63.253.73.218:5635 -> x.x.x.2:0 NOACK 2***RP** RESERVEDBITS
Jan 22 10:35:27 63.253.73.196:4246 -> x.x.x.1:443 SYN **S*****

Could this be just web browser/user specific or is there something more
nefarious going on?

Any ideas would be very welcome.

Sean D





More information about the Snort-users mailing list