[Snort-users] Re: Possible Queso Fingerprint attempt?

Max Vision vision at ...4...
Thu Mar 15 07:00:15 EST 2001


Background information - http://www.sans.org/y2k/ecn.htm

I have updated the queso signature in a way that will greatly reduce the
number of false positives.  However this does not solve the problem of
ISPs who don't update their signatures, or the underlaying problem of ISPs
trusting email complaints.  There are HUGE problems with reacting to
an email and cutting off your customer:
 1> the information could be intentionally forged to get someone
    in trouble (this is *far* more common than you think), or
 2> the sender may have faulty information (old signatures,
    misinterpreted IDS or firewall logs, etc), or
 3> the sender may have valid information, but the attack against
    them was forged/spoofed traffic (not valid after all).

rant
ISPs, *please* use some common sense and treat your customers with a
little more respect.  Notably irresponsible wannabe security guards
include Brian of ATT Policy group in the bay area - a malicious and
conceited wannabe who shut off *my* access last year over an obviously
false positive snort alert that someone had sent in .  It didn't matter
that I could explain their problem in extreme detail, nor that I was the
person who wrote the signature they used (irony!!)  This same type of
misunderstanding also forced me to discontinue the self-scan services that
I had offered last year. (boycott att!) :)
/rant

Back to the queso/ECN issue.  Marty added modifications to the TOS plugin
(sp_ip_tos_check) but I think that there is a simple way to determine
queso traffic:  Queso-generated packets have an initial TTL of 255.  Linux
uses an initial TTL of 64 (in most cases I'm aware).  Queso also has a
predictable tcp window size, but there is not a way to specify this in the
snort signature syntax.

Queso packet looks like:

03/15-03:24:44.183080 maxvision:6941 -> whitehats:80
TCP TTL:255 TOS:0x0 ID:38278 IpLen:20 DgmLen:40
12****S* Seq: 0x62283A7D  Ack: 0x0  Win: 0x1234  TcpLen: 20

03/15-03:26:32.940213 maxvision:27308 -> whitehats:80
TCP TTL:255 TOS:0x0 ID:58645 IpLen:20 DgmLen:40
12****S* Seq: 0x70C7AFA2  Ack: 0x0  Win: 0x1234  TcpLen: 20

03/15-03:26:49.019779 maxvision:8478 -> whitehats:80
TCP TTL:255 TOS:0x0 ID:39815 IpLen:20 DgmLen:40
12****S* Seq: 0x7E439BA6  Ack: 0x0  Win: 0x1234  TcpLen: 20

Linux 2.4 with ECN packets look like:

03/15-03:25:43.616525 somelinuxbox:1701 -> whitehats:80
TCP TTL:64 TOS:0x0 ID:1916 IpLen:20 DgmLen:60 DF
12****S* Seq: 0x4C493FB  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 191540432 0 NOP WS: 0

Er, lastly, the new signature that will hopefully reduce these false
positives a little:

  http://whitehats.com/info/IDS29

This works great for me.  If it doesn't for you, or your have
feedback/corrections please let me know :)

Max Vision
http://whitehats.com/
http://maxvision.net/

On Thu, 15 Mar 2001, Aaron S. Carmichael wrote:
> We have noticed something very much the same. The offending Possible Queso
> Fingerprint was coming from a linux org in Virginia. Now we know this
> particular system has not been compromised but every time one of our users
> get mail from their list snort sees it at a Possible Queso Fingerprint.
>
> Kind of a drag since they tend to send 50 to 100 messages to the list
> members a day and logging that and checking up on it sucks.
>
> Let me know if you find a solution and I will pass it on to the system I am
> talking about.
>
> Aaron S. Carmichael
> CTO/VP Information Technology
> TimeCertain, LLC.
> 202-244-3243 (voice)
> 202-244-5694 (fax)
> aaron at ...532...
> http://www.timecertain.com
>
> ----------------------------------------
> This message is for the named persons use only.  It may contain
> confidential, proprietary or legally privileged information.  No
> confidentiality or privilege is waived or lost by any mistransmission.  If
> you receive this message in error, please immediately delete it and all
> copies of it from your system, destroy any hard copies of it and notify the
> sender.  You must not, directly or indirectly, use, disclose, distribute,
> print, or copy any part of this message if you are not the intended
> recipient. Any views expressed in this message are those of the individual
> sender, except where the message states otherwise and the sender is
> authorized to state them to be the views of any such entity.
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ookhoi
> Sent: Tuesday, March 13, 2001 1:01 PM
> To: snort-users at lists.sourceforge.net; postfix-users at ...1581...
> Cc: snort-devel at lists.sourceforge.net
> Subject: [Snort-users] Possible Queso Fingerprint attempt?
>
>
> Hi!
>
> Our ISP blocked our webserver for a while because (a) Company mailed
> that they were portscanned by us according to their hereby included
> snort log.
>
> Now we don't portscan of course, and can't find proof of a break in
> (maybe somebody else wanted to do us a favor and do a portscan for us ;-)
> And besides, in the snort log only a scan at port 25 is mentioned at two
> of their servers, which happen to be both mail gateways.
>
> According to the database on the webserver, someone from Company
> subscribed to a forum on our site early this month. The forum sents out
> mails every morning, and thus also to the two mail gateways.
>
> According to our mail logs, our mailserver delivered mails to the mail
> gateways at the days mentioned in the snort log, but not at the same
> time as the scans.
>
> Our mailserver is postfix, and we use linux kernel 2.4 with ecn enabled.
> Can it be that postfix tried to deliver mail and that snort somehow
> found the tcp connection to be mangled in some way?
> I read that a Queso Fingerprint works by changing some things in the tcp
> packets.
> Will snort abort the connection when it detects a Queso Fingerprint, or
> does it only log the attempt?
>
> I searched the Internet and my postfix archives for something similar
> but didn't succeed. Didn't look in the snort archives.
>
> I appreciate all your thoughts, tips, advisories and even flames and
> rtfms :-)
> Please cc me when you do so, as I can't keep up with the postfix
> mailinglist, and barely with the snort mailinglist..
>
> Thanx!
>
> 	Ookhoi
>
>
> victim-ip1 and victim-ip2 are the mail gateways of Company.
> our-server-ip is our server. :-)
>
>
> Mar 11 06:49:41 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 11 06:49:41 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:46173 -> [victim-ip1]:25
> Mar 11 06:49:45 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 11 06:49:49 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 11 06:53:18 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 11 06:53:18 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:46305 -> [victim-ip1]:25
> Mar 11 06:53:22 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 11 06:53:26 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 11 07:06:19 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 11 07:06:19 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:46779 -> [victim-ip2]:25
> Mar 11 07:06:23 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 11 07:06:27 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 11 14:48:34 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 11 14:48:34 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:50001 -> [victim-ip1]:25
> Mar 11 14:48:37 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 11 14:48:42 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 12 04:31:35 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 12 04:31:35 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:53294 -> [victim-ip1]:25
> Mar 12 04:31:38 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:53306 -> [victim-ip1]:25
> Mar 12 04:31:39 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 12 04:31:43 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(3s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 12 04:34:48 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 12 04:34:48 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:53594 -> [victim-ip1]:25
> Mar 12 04:34:52 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 12 04:34:54 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:53624 -> [victim-ip1]:25
> Mar 12 04:34:56 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 12 04:35:00 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
> Mar 12 04:38:16 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 12 04:38:16 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:53929 -> [victim-ip1]:25
> Mar 12 04:38:20 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 12 04:38:24 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 12 04:38:47 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 12 04:38:47 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:53999 -> [victim-ip1]:25
> Mar 12 04:38:51 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 12 04:38:53 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:54022 -> [victim-ip1]:25
> Mar 12 04:38:55 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 12 04:38:59 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
> Mar 12 04:50:21 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 12 04:50:21 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:54673 -> [victim-ip2]:25
> Mar 12 04:50:25 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 12 04:50:29 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 11 06:46:59 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 11 06:46:59 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:46084 -> [victim-ip1]:25
> Mar 11 06:47:03 fw snort[354]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 11 06:47:07 fw snort[354]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 10 06:47:13 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 10 06:47:13 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:37467 -> [victim-ip1]:25
> Mar 10 06:47:17 fw snort[32498]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 10 06:47:21 fw snort[32498]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 10 06:50:15 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 10 06:50:15 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:37815 -> [victim-ip1]:25
> Mar 10 06:50:17 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:37819 -> [victim-ip1]:25
> Mar 10 06:50:19 fw snort[32498]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 10 06:50:23 fw snort[32498]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(2s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 10 06:54:09 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 10 06:54:09 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:38244 -> [victim-ip1]:25
> Mar 10 06:54:13 fw snort[32498]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 10 06:54:17 fw snort[32498]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 10 07:06:06 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 10 07:06:06 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:39343 -> [victim-ip2]:25
> Mar 10 07:06:10 fw snort[32498]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 10 07:06:14 fw snort[32498]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 10 07:10:46 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 10 07:10:46 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:39587 -> [victim-ip2]:25
> Mar 10 07:10:50 fw snort[32498]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 10 07:10:54 fw snort[32498]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 10 07:12:51 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 10 07:12:51 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:39925 -> [victim-ip2]:25
> Mar 10 07:12:55 fw snort[32498]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 10 07:12:59 fw snort[32498]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 10 07:14:37 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 10 07:14:37 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:40085 -> [victim-ip2]:25
> Mar 10 07:14:41 fw snort[32498]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 10 07:14:45 fw snort[32498]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar 10 13:27:02 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar 10 13:27:02 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:42035 -> [victim-ip2]:25
> Mar 10 13:27:06 fw snort[32498]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar 10 13:27:10 fw snort[32498]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  9 06:55:29 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar  9 06:55:29 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:57168 -> [victim-ip1]:25
> Mar  9 06:55:33 fw snort[32119]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  9 06:55:37 fw snort[32119]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  9 07:06:29 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar  9 07:06:29 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:58556 -> [victim-ip2]:25
> Mar  9 07:06:33 fw snort[32119]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  9 07:06:37 fw snort[32119]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  9 07:11:15 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar  9 07:11:15 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:58974 -> [victim-ip2]:25
> Mar  9 07:11:19 fw snort[32119]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  9 07:11:23 fw snort[32119]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  9 07:18:24 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar  9 07:18:24 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:59910 -> [victim-ip2]:25
> Mar  9 07:18:28 fw snort[32119]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  9 07:18:32 fw snort[32119]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  8 06:54:08 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar  8 06:54:08 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:48160 -> [victim-ip1]:25
> Mar  8 06:54:12 fw snort[31035]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  8 06:54:16 fw snort[31035]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  8 07:06:11 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar  8 07:06:11 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:49166 -> [victim-ip2]:25
> Mar  8 07:06:15 fw snort[31035]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  8 07:06:19 fw snort[31035]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  8 07:11:04 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar  8 07:11:04 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:49590 -> [victim-ip2]:25
> Mar  8 07:11:08 fw snort[31035]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  8 07:11:12 fw snort[31035]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  8 07:17:18 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar  8 07:17:18 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:50227 -> [victim-ip2]:25
> Mar  8 07:17:22 fw snort[31035]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  8 07:17:26 fw snort[31035]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> Mar  8 07:17:43 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> [our-server-ip] (STEALTH)
> Mar  8 07:17:43 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:50432 -> [victim-ip2]:25
> Mar  8 07:17:47 fw snort[31035]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  8 07:17:49 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> attempt: [our-server-ip]:50479 -> [victim-ip2]:25
> Mar  8 07:17:51 fw snort[31035]: spp_portscan: portscan status from
> [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Mar  8 07:17:55 fw snort[31035]: spp_portscan: End of portscan from
> [our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>






More information about the Snort-users mailing list