[Snort-users] Stealth scan question...

JPP jpp at ...1565...
Tue Mar 13 16:01:50 EST 2001


Hi ya'all!!

I run an IRC server, seems it gets what is being classified as an
spp_portscan: and a STEALTH scan hit at various times.

These particular entries have been showing up in my IPCHAINS logs for
quite sometime and are automatically blocked. They come to primarily
port(s) 17727 and 17746  - the firewall stops them, but SNORT (which I
just started using to monitor the IRC and web servers) is seeing them as
possible Stealth scans.
Possible these are "false positives"?
The IP address doing it has done it twice today, is a dialup, and both
times it appears it is being done upon connection to the IRC server.

portscan log entries are as follows: (IPs edited)

Mar 13 13:26:09 62.137.xxx.xxx:1456 -> 192.148.xxx.xxx:6667 SYN ******S*
Mar 13 13:26:09 62.137.xxx.xxx:20041 -> 192.148.xxx.xxx:17227 INVALIDACK
**UA**SF
Mar 13 13:26:09 62.137.xxx.xxx:21843 -> 192.148.xxx.xxx:17746 NOACK
*2U**R** RESERVEDBITS
Mar 13 13:26:09 62.137.xxx.xxx:12596 -> 192.148.xxx.xxx:13622 INVALIDACK
*2*A*R*F RESERVEDBITS

There were/are 2 of these from the same basic host (as I said, dialup).
Any thoughts? Ignore it? Something to try and filter, perhaps, so we do
not see these types of Portscan attempts logged continuously? OR are
they just being PITA's and SYNing the server to be annoying?

Thanks folks - nice program!

Jerome




More information about the Snort-users mailing list