[Snort-users] Possible Queso Fingerprint attempt?

Aaron S. Carmichael aaron at ...532...
Thu Mar 15 05:03:18 EST 2001


We have noticed something very much the same. The offending Possible Queso
Fingerprint was coming from a linux org in Virginia. Now we know this
particular system has not been compromised but every time one of our users
get mail from their list snort sees it at a Possible Queso Fingerprint.

Kind of a drag since they tend to send 50 to 100 messages to the list
members a day and logging that and checking up on it sucks.

Let me know if you find a solution and I will pass it on to the system I am
talking about.

Aaron S. Carmichael
CTO/VP Information Technology
TimeCertain, LLC.
202-244-3243 (voice)
202-244-5694 (fax)
aaron at ...532...
http://www.timecertain.com

----------------------------------------
This message is for the named persons use only.  It may contain
confidential, proprietary or legally privileged information.  No
confidentiality or privilege is waived or lost by any mistransmission.  If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender.  You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is
authorized to state them to be the views of any such entity.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ookhoi
Sent: Tuesday, March 13, 2001 1:01 PM
To: snort-users at lists.sourceforge.net; postfix-users at ...1581...
Cc: snort-devel at lists.sourceforge.net
Subject: [Snort-users] Possible Queso Fingerprint attempt?


Hi!

Our ISP blocked our webserver for a while because (a) Company mailed
that they were portscanned by us according to their hereby included
snort log.

Now we don't portscan of course, and can't find proof of a break in
(maybe somebody else wanted to do us a favor and do a portscan for us ;-)
And besides, in the snort log only a scan at port 25 is mentioned at two
of their servers, which happen to be both mail gateways.

According to the database on the webserver, someone from Company
subscribed to a forum on our site early this month. The forum sents out
mails every morning, and thus also to the two mail gateways.

According to our mail logs, our mailserver delivered mails to the mail
gateways at the days mentioned in the snort log, but not at the same
time as the scans.

Our mailserver is postfix, and we use linux kernel 2.4 with ecn enabled.
Can it be that postfix tried to deliver mail and that snort somehow
found the tcp connection to be mangled in some way?
I read that a Queso Fingerprint works by changing some things in the tcp
packets.
Will snort abort the connection when it detects a Queso Fingerprint, or
does it only log the attempt?

I searched the Internet and my postfix archives for something similar
but didn't succeed. Didn't look in the snort archives.

I appreciate all your thoughts, tips, advisories and even flames and
rtfms :-)
Please cc me when you do so, as I can't keep up with the postfix
mailinglist, and barely with the snort mailinglist..

Thanx!

	Ookhoi


victim-ip1 and victim-ip2 are the mail gateways of Company.
our-server-ip is our server. :-)


Mar 11 06:49:41 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 11 06:49:41 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:46173 -> [victim-ip1]:25
Mar 11 06:49:45 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 06:49:49 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 11 06:53:18 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 11 06:53:18 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:46305 -> [victim-ip1]:25
Mar 11 06:53:22 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 06:53:26 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 11 07:06:19 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 11 07:06:19 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:46779 -> [victim-ip2]:25
Mar 11 07:06:23 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 07:06:27 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 11 14:48:34 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 11 14:48:34 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:50001 -> [victim-ip1]:25
Mar 11 14:48:37 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 14:48:42 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 12 04:31:35 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 12 04:31:35 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:53294 -> [victim-ip1]:25
Mar 12 04:31:38 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:53306 -> [victim-ip1]:25
Mar 12 04:31:39 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:31:43 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(3s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 12 04:34:48 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 12 04:34:48 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:53594 -> [victim-ip1]:25
Mar 12 04:34:52 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:34:54 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:53624 -> [victim-ip1]:25
Mar 12 04:34:56 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:35:00 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
Mar 12 04:38:16 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 12 04:38:16 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:53929 -> [victim-ip1]:25
Mar 12 04:38:20 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:38:24 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 12 04:38:47 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 12 04:38:47 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:53999 -> [victim-ip1]:25
Mar 12 04:38:51 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:38:53 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:54022 -> [victim-ip1]:25
Mar 12 04:38:55 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:38:59 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
Mar 12 04:50:21 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 12 04:50:21 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:54673 -> [victim-ip2]:25
Mar 12 04:50:25 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 12 04:50:29 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 11 06:46:59 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 11 06:46:59 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:46084 -> [victim-ip1]:25
Mar 11 06:47:03 fw snort[354]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 11 06:47:07 fw snort[354]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 06:47:13 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 10 06:47:13 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:37467 -> [victim-ip1]:25
Mar 10 06:47:17 fw snort[32498]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 06:47:21 fw snort[32498]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 06:50:15 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 10 06:50:15 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:37815 -> [victim-ip1]:25
Mar 10 06:50:17 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:37819 -> [victim-ip1]:25
Mar 10 06:50:19 fw snort[32498]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 06:50:23 fw snort[32498]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(2s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 06:54:09 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 10 06:54:09 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:38244 -> [victim-ip1]:25
Mar 10 06:54:13 fw snort[32498]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 06:54:17 fw snort[32498]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 07:06:06 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 10 07:06:06 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:39343 -> [victim-ip2]:25
Mar 10 07:06:10 fw snort[32498]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 07:06:14 fw snort[32498]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 07:10:46 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 10 07:10:46 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:39587 -> [victim-ip2]:25
Mar 10 07:10:50 fw snort[32498]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 07:10:54 fw snort[32498]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 07:12:51 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 10 07:12:51 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:39925 -> [victim-ip2]:25
Mar 10 07:12:55 fw snort[32498]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 07:12:59 fw snort[32498]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 07:14:37 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 10 07:14:37 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:40085 -> [victim-ip2]:25
Mar 10 07:14:41 fw snort[32498]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 07:14:45 fw snort[32498]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar 10 13:27:02 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar 10 13:27:02 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:42035 -> [victim-ip2]:25
Mar 10 13:27:06 fw snort[32498]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar 10 13:27:10 fw snort[32498]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  9 06:55:29 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar  9 06:55:29 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:57168 -> [victim-ip1]:25
Mar  9 06:55:33 fw snort[32119]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  9 06:55:37 fw snort[32119]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  9 07:06:29 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar  9 07:06:29 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:58556 -> [victim-ip2]:25
Mar  9 07:06:33 fw snort[32119]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  9 07:06:37 fw snort[32119]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  9 07:11:15 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar  9 07:11:15 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:58974 -> [victim-ip2]:25
Mar  9 07:11:19 fw snort[32119]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  9 07:11:23 fw snort[32119]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  9 07:18:24 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar  9 07:18:24 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:59910 -> [victim-ip2]:25
Mar  9 07:18:28 fw snort[32119]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  9 07:18:32 fw snort[32119]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 06:54:08 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar  8 06:54:08 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:48160 -> [victim-ip1]:25
Mar  8 06:54:12 fw snort[31035]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 06:54:16 fw snort[31035]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 07:06:11 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar  8 07:06:11 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:49166 -> [victim-ip2]:25
Mar  8 07:06:15 fw snort[31035]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:06:19 fw snort[31035]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 07:11:04 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar  8 07:11:04 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:49590 -> [victim-ip2]:25
Mar  8 07:11:08 fw snort[31035]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:11:12 fw snort[31035]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 07:17:18 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar  8 07:17:18 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:50227 -> [victim-ip2]:25
Mar  8 07:17:22 fw snort[31035]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:17:26 fw snort[31035]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
Mar  8 07:17:43 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
[our-server-ip] (STEALTH)
Mar  8 07:17:43 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:50432 -> [victim-ip2]:25
Mar  8 07:17:47 fw snort[31035]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:17:49 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
attempt: [our-server-ip]:50479 -> [victim-ip2]:25
Mar  8 07:17:51 fw snort[31035]: spp_portscan: portscan status from
[our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Mar  8 07:17:55 fw snort[31035]: spp_portscan: End of portscan from
[our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Aaron S. Carmichael (E-mail).vcf
Type: text/x-vcard
Size: 483 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010315/5880690f/attachment.vcf>


More information about the Snort-users mailing list