[Snort-users] Possible Queso Fingerprint attempt?

Ookhoi ookhoi at ...1580...
Tue Mar 13 13:00:36 EST 2001


Hi!

Our ISP blocked our webserver for a while because (a) Company mailed
that they were portscanned by us according to their hereby included
snort log. 

Now we don't portscan of course, and can't find proof of a break in
(maybe somebody else wanted to do us a favor and do a portscan for us ;-) 
And besides, in the snort log only a scan at port 25 is mentioned at two
of their servers, which happen to be both mail gateways. 

According to the database on the webserver, someone from Company
subscribed to a forum on our site early this month. The forum sents out
mails every morning, and thus also to the two mail gateways.

According to our mail logs, our mailserver delivered mails to the mail
gateways at the days mentioned in the snort log, but not at the same
time as the scans.

Our mailserver is postfix, and we use linux kernel 2.4 with ecn enabled.
Can it be that postfix tried to deliver mail and that snort somehow
found the tcp connection to be mangled in some way? 
I read that a Queso Fingerprint works by changing some things in the tcp
packets.
Will snort abort the connection when it detects a Queso Fingerprint, or
does it only log the attempt?

I searched the Internet and my postfix archives for something similar
but didn't succeed. Didn't look in the snort archives.

I appreciate all your thoughts, tips, advisories and even flames and
rtfms :-)  
Please cc me when you do so, as I can't keep up with the postfix
mailinglist, and barely with the snort mailinglist..

Thanx!

	Ookhoi


victim-ip1 and victim-ip2 are the mail gateways of Company.
our-server-ip is our server. :-)


Mar 11 06:49:41 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 11 06:49:41 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:46173 -> [victim-ip1]:25
Mar 11 06:49:45 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 06:49:49 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 11 06:53:18 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 11 06:53:18 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:46305 -> [victim-ip1]:25
Mar 11 06:53:22 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 06:53:26 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 11 07:06:19 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 11 07:06:19 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:46779 -> [victim-ip2]:25
Mar 11 07:06:23 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 07:06:27 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 11 14:48:34 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 11 14:48:34 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:50001 -> [victim-ip1]:25
Mar 11 14:48:37 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 14:48:42 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 12 04:31:35 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 12 04:31:35 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:53294 -> [victim-ip1]:25
Mar 12 04:31:38 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:53306 -> [victim-ip1]:25
Mar 12 04:31:39 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:31:43 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(3s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 12 04:34:48 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 12 04:34:48 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:53594 -> [victim-ip1]:25
Mar 12 04:34:52 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:34:54 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:53624 -> [victim-ip1]:25
Mar 12 04:34:56 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:35:00 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
Mar 12 04:38:16 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 12 04:38:16 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:53929 -> [victim-ip1]:25
Mar 12 04:38:20 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:38:24 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 12 04:38:47 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 12 04:38:47 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:53999 -> [victim-ip1]:25
Mar 12 04:38:51 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:38:53 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:54022 -> [victim-ip1]:25
Mar 12 04:38:55 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:38:59 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
Mar 12 04:50:21 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 12 04:50:21 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:54673 -> [victim-ip2]:25
Mar 12 04:50:25 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:50:29 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 11 06:46:59 fw snort[354]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 11 06:46:59 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:46084 -> [victim-ip1]:25
Mar 11 06:47:03 fw snort[354]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 06:47:07 fw snort[354]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 06:47:13 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 10 06:47:13 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:37467 -> [victim-ip1]:25
Mar 10 06:47:17 fw snort[32498]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 06:47:21 fw snort[32498]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 06:50:15 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 10 06:50:15 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:37815 -> [victim-ip1]:25
Mar 10 06:50:17 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:37819 -> [victim-ip1]:25
Mar 10 06:50:19 fw snort[32498]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 06:50:23 fw snort[32498]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(2s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 06:54:09 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 10 06:54:09 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:38244 -> [victim-ip1]:25
Mar 10 06:54:13 fw snort[32498]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 06:54:17 fw snort[32498]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 07:06:06 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 10 07:06:06 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:39343 -> [victim-ip2]:25
Mar 10 07:06:10 fw snort[32498]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 07:06:14 fw snort[32498]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 07:10:46 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 10 07:10:46 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:39587 -> [victim-ip2]:25
Mar 10 07:10:50 fw snort[32498]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 07:10:54 fw snort[32498]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 07:12:51 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 10 07:12:51 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:39925 -> [victim-ip2]:25
Mar 10 07:12:55 fw snort[32498]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 07:12:59 fw snort[32498]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 07:14:37 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 10 07:14:37 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:40085 -> [victim-ip2]:25
Mar 10 07:14:41 fw snort[32498]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 07:14:45 fw snort[32498]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 13:27:02 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar 10 13:27:02 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:42035 -> [victim-ip2]:25
Mar 10 13:27:06 fw snort[32498]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 13:27:10 fw snort[32498]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  9 06:55:29 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar  9 06:55:29 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:57168 -> [victim-ip1]:25
Mar  9 06:55:33 fw snort[32119]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  9 06:55:37 fw snort[32119]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  9 07:06:29 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar  9 07:06:29 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:58556 -> [victim-ip2]:25
Mar  9 07:06:33 fw snort[32119]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  9 07:06:37 fw snort[32119]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  9 07:11:15 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar  9 07:11:15 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:58974 -> [victim-ip2]:25
Mar  9 07:11:19 fw snort[32119]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  9 07:11:23 fw snort[32119]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  9 07:18:24 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar  9 07:18:24 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:59910 -> [victim-ip2]:25
Mar  9 07:18:28 fw snort[32119]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  9 07:18:32 fw snort[32119]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 06:54:08 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar  8 06:54:08 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:48160 -> [victim-ip1]:25
Mar  8 06:54:12 fw snort[31035]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 06:54:16 fw snort[31035]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 07:06:11 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar  8 07:06:11 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:49166 -> [victim-ip2]:25
Mar  8 07:06:15 fw snort[31035]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:06:19 fw snort[31035]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 07:11:04 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar  8 07:11:04 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:49590 -> [victim-ip2]:25
Mar  8 07:11:08 fw snort[31035]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:11:12 fw snort[31035]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 07:17:18 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar  8 07:17:18 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:50227 -> [victim-ip2]:25
Mar  8 07:17:22 fw snort[31035]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:17:26 fw snort[31035]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 07:17:43 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from [our-server-ip] (STEALTH)
Mar  8 07:17:43 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:50432 -> [victim-ip2]:25
Mar  8 07:17:47 fw snort[31035]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:17:49 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint attempt: [our-server-ip]:50479 -> [victim-ip2]:25
Mar  8 07:17:51 fw snort[31035]: spp_portscan: portscan status from [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:17:55 fw snort[31035]: spp_portscan: End of portscan from [our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH




More information about the Snort-users mailing list