[Snort-users] Re: [Snort-devel] Re: Possible Queso Fingerprint attempt?

Jeff Nathan jnathan at ...1590...
Thu Mar 15 15:56:44 EST 2001


Great work Max!

And your comments on AT&T Worldnet are interesting.  If ISPs are going
to deploy snort they arent doing anyone a service by having untraied or
undetrained staff viewing the output.

-Jeff

Max Vision wrote:
> 
> Background information - http://www.sans.org/y2k/ecn.htm
> 
> I have updated the queso signature in a way that will greatly reduce the
> number of false positives.  However this does not solve the problem of
> ISPs who don't update their signatures, or the underlaying problem of ISPs
> trusting email complaints.  There are HUGE problems with reacting to
> an email and cutting off your customer:
>  1> the information could be intentionally forged to get someone
>     in trouble (this is *far* more common than you think), or
>  2> the sender may have faulty information (old signatures,
>     misinterpreted IDS or firewall logs, etc), or
>  3> the sender may have valid information, but the attack against
>     them was forged/spoofed traffic (not valid after all).
> 
> rant
> ISPs, *please* use some common sense and treat your customers with a
> little more respect.  Notably irresponsible wannabe security guards
> include Brian of ATT Policy group in the bay area - a malicious and
> conceited wannabe who shut off *my* access last year over an obviously
> false positive snort alert that someone had sent in .  It didn't matter
> that I could explain their problem in extreme detail, nor that I was the
> person who wrote the signature they used (irony!!)  This same type of
> misunderstanding also forced me to discontinue the self-scan services that
> I had offered last year. (boycott att!) :)
> /rant
> 
> Back to the queso/ECN issue.  Marty added modifications to the TOS plugin
> (sp_ip_tos_check) but I think that there is a simple way to determine
> queso traffic:  Queso-generated packets have an initial TTL of 255.  Linux
> uses an initial TTL of 64 (in most cases I'm aware).  Queso also has a
> predictable tcp window size, but there is not a way to specify this in the
> snort signature syntax.
> 
> Queso packet looks like:
> 
> 03/15-03:24:44.183080 maxvision:6941 -> whitehats:80
> TCP TTL:255 TOS:0x0 ID:38278 IpLen:20 DgmLen:40
> 12****S* Seq: 0x62283A7D  Ack: 0x0  Win: 0x1234  TcpLen: 20
> 
> 03/15-03:26:32.940213 maxvision:27308 -> whitehats:80
> TCP TTL:255 TOS:0x0 ID:58645 IpLen:20 DgmLen:40
> 12****S* Seq: 0x70C7AFA2  Ack: 0x0  Win: 0x1234  TcpLen: 20
> 
> 03/15-03:26:49.019779 maxvision:8478 -> whitehats:80
> TCP TTL:255 TOS:0x0 ID:39815 IpLen:20 DgmLen:40
> 12****S* Seq: 0x7E439BA6  Ack: 0x0  Win: 0x1234  TcpLen: 20
> 
> Linux 2.4 with ECN packets look like:
> 
> 03/15-03:25:43.616525 somelinuxbox:1701 -> whitehats:80
> TCP TTL:64 TOS:0x0 ID:1916 IpLen:20 DgmLen:60 DF
> 12****S* Seq: 0x4C493FB  Ack: 0x0  Win: 0x7D78  TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 191540432 0 NOP WS: 0
> 
> Er, lastly, the new signature that will hopefully reduce these false
> positives a little:
> 
>   http://whitehats.com/info/IDS29
> 
> This works great for me.  If it doesn't for you, or your have
> feedback/corrections please let me know :)
> 
> Max Vision
> http://whitehats.com/
> http://maxvision.net/
> 
> On Thu, 15 Mar 2001, Aaron S. Carmichael wrote:
> > We have noticed something very much the same. The offending Possible Queso
> > Fingerprint was coming from a linux org in Virginia. Now we know this
> > particular system has not been compromised but every time one of our users
> > get mail from their list snort sees it at a Possible Queso Fingerprint.
> >
> > Kind of a drag since they tend to send 50 to 100 messages to the list
> > members a day and logging that and checking up on it sucks.
> >
> > Let me know if you find a solution and I will pass it on to the system I am
> > talking about.
> >
> > Aaron S. Carmichael
> > CTO/VP Information Technology
> > TimeCertain, LLC.
> > 202-244-3243 (voice)
> > 202-244-5694 (fax)
> > aaron at ...532...
> > http://www.timecertain.com
> >
> > ----------------------------------------
> > This message is for the named persons use only.  It may contain
> > confidential, proprietary or legally privileged information.  No
> > confidentiality or privilege is waived or lost by any mistransmission.  If
> > you receive this message in error, please immediately delete it and all
> > copies of it from your system, destroy any hard copies of it and notify the
> > sender.  You must not, directly or indirectly, use, disclose, distribute,
> > print, or copy any part of this message if you are not the intended
> > recipient. Any views expressed in this message are those of the individual
> > sender, except where the message states otherwise and the sender is
> > authorized to state them to be the views of any such entity.
> >
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ookhoi
> > Sent: Tuesday, March 13, 2001 1:01 PM
> > To: snort-users at lists.sourceforge.net; postfix-users at ...1581...
> > Cc: snort-devel at lists.sourceforge.net
> > Subject: [Snort-users] Possible Queso Fingerprint attempt?
> >
> >
> > Hi!
> >
> > Our ISP blocked our webserver for a while because (a) Company mailed
> > that they were portscanned by us according to their hereby included
> > snort log.
> >
> > Now we don't portscan of course, and can't find proof of a break in
> > (maybe somebody else wanted to do us a favor and do a portscan for us ;-)
> > And besides, in the snort log only a scan at port 25 is mentioned at two
> > of their servers, which happen to be both mail gateways.
> >
> > According to the database on the webserver, someone from Company
> > subscribed to a forum on our site early this month. The forum sents out
> > mails every morning, and thus also to the two mail gateways.
> >
> > According to our mail logs, our mailserver delivered mails to the mail
> > gateways at the days mentioned in the snort log, but not at the same
> > time as the scans.
> >
> > Our mailserver is postfix, and we use linux kernel 2.4 with ecn enabled.
> > Can it be that postfix tried to deliver mail and that snort somehow
> > found the tcp connection to be mangled in some way?
> > I read that a Queso Fingerprint works by changing some things in the tcp
> > packets.
> > Will snort abort the connection when it detects a Queso Fingerprint, or
> > does it only log the attempt?
> >
> > I searched the Internet and my postfix archives for something similar
> > but didn't succeed. Didn't look in the snort archives.
> >
> > I appreciate all your thoughts, tips, advisories and even flames and
> > rtfms :-)
> > Please cc me when you do so, as I can't keep up with the postfix
> > mailinglist, and barely with the snort mailinglist..
> >
> > Thanx!
> >
> >       Ookhoi
> >
> >
> > victim-ip1 and victim-ip2 are the mail gateways of Company.
> > our-server-ip is our server. :-)
> >
> >
> > Mar 11 06:49:41 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 11 06:49:41 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:46173 -> [victim-ip1]:25
> > Mar 11 06:49:45 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 11 06:49:49 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 11 06:53:18 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 11 06:53:18 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:46305 -> [victim-ip1]:25
> > Mar 11 06:53:22 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 11 06:53:26 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 11 07:06:19 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 11 07:06:19 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:46779 -> [victim-ip2]:25
> > Mar 11 07:06:23 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 11 07:06:27 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 11 14:48:34 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 11 14:48:34 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:50001 -> [victim-ip1]:25
> > Mar 11 14:48:37 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 11 14:48:42 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 12 04:31:35 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 12 04:31:35 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:53294 -> [victim-ip1]:25
> > Mar 12 04:31:38 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:53306 -> [victim-ip1]:25
> > Mar 12 04:31:39 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 12 04:31:43 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(3s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 12 04:34:48 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 12 04:34:48 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:53594 -> [victim-ip1]:25
> > Mar 12 04:34:52 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 12 04:34:54 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:53624 -> [victim-ip1]:25
> > Mar 12 04:34:56 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 12 04:35:00 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
> > Mar 12 04:38:16 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 12 04:38:16 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:53929 -> [victim-ip1]:25
> > Mar 12 04:38:20 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 12 04:38:24 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 12 04:38:47 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 12 04:38:47 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:53999 -> [victim-ip1]:25
> > Mar 12 04:38:51 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 12 04:38:53 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:54022 -> [victim-ip1]:25
> > Mar 12 04:38:55 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 12 04:38:59 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
> > Mar 12 04:50:21 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 12 04:50:21 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:54673 -> [victim-ip2]:25
> > Mar 12 04:50:25 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 12 04:50:29 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 11 06:46:59 fw snort[354]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 11 06:46:59 fw snort[354]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:46084 -> [victim-ip1]:25
> > Mar 11 06:47:03 fw snort[354]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 11 06:47:07 fw snort[354]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 10 06:47:13 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 10 06:47:13 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:37467 -> [victim-ip1]:25
> > Mar 10 06:47:17 fw snort[32498]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 10 06:47:21 fw snort[32498]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 10 06:50:15 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 10 06:50:15 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:37815 -> [victim-ip1]:25
> > Mar 10 06:50:17 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:37819 -> [victim-ip1]:25
> > Mar 10 06:50:19 fw snort[32498]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 10 06:50:23 fw snort[32498]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(2s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 10 06:54:09 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 10 06:54:09 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:38244 -> [victim-ip1]:25
> > Mar 10 06:54:13 fw snort[32498]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 10 06:54:17 fw snort[32498]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 10 07:06:06 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 10 07:06:06 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:39343 -> [victim-ip2]:25
> > Mar 10 07:06:10 fw snort[32498]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 10 07:06:14 fw snort[32498]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 10 07:10:46 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 10 07:10:46 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:39587 -> [victim-ip2]:25
> > Mar 10 07:10:50 fw snort[32498]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 10 07:10:54 fw snort[32498]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 10 07:12:51 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 10 07:12:51 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:39925 -> [victim-ip2]:25
> > Mar 10 07:12:55 fw snort[32498]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 10 07:12:59 fw snort[32498]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 10 07:14:37 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 10 07:14:37 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:40085 -> [victim-ip2]:25
> > Mar 10 07:14:41 fw snort[32498]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 10 07:14:45 fw snort[32498]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar 10 13:27:02 fw snort[32498]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar 10 13:27:02 fw snort[32498]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:42035 -> [victim-ip2]:25
> > Mar 10 13:27:06 fw snort[32498]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar 10 13:27:10 fw snort[32498]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar  9 06:55:29 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar  9 06:55:29 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:57168 -> [victim-ip1]:25
> > Mar  9 06:55:33 fw snort[32119]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  9 06:55:37 fw snort[32119]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar  9 07:06:29 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar  9 07:06:29 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:58556 -> [victim-ip2]:25
> > Mar  9 07:06:33 fw snort[32119]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  9 07:06:37 fw snort[32119]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar  9 07:11:15 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar  9 07:11:15 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:58974 -> [victim-ip2]:25
> > Mar  9 07:11:19 fw snort[32119]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  9 07:11:23 fw snort[32119]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar  9 07:18:24 fw snort[32119]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar  9 07:18:24 fw snort[32119]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:59910 -> [victim-ip2]:25
> > Mar  9 07:18:28 fw snort[32119]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  9 07:18:32 fw snort[32119]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar  8 06:54:08 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar  8 06:54:08 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:48160 -> [victim-ip1]:25
> > Mar  8 06:54:12 fw snort[31035]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  8 06:54:16 fw snort[31035]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar  8 07:06:11 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar  8 07:06:11 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:49166 -> [victim-ip2]:25
> > Mar  8 07:06:15 fw snort[31035]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  8 07:06:19 fw snort[31035]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar  8 07:11:04 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar  8 07:11:04 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:49590 -> [victim-ip2]:25
> > Mar  8 07:11:08 fw snort[31035]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  8 07:11:12 fw snort[31035]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar  8 07:17:18 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar  8 07:17:18 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:50227 -> [victim-ip2]:25
> > Mar  8 07:17:22 fw snort[31035]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  8 07:17:26 fw snort[31035]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
> > Mar  8 07:17:43 fw snort[31035]: spp_portscan: PORTSCAN DETECTED from
> > [our-server-ip] (STEALTH)
> > Mar  8 07:17:43 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:50432 -> [victim-ip2]:25
> > Mar  8 07:17:47 fw snort[31035]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  8 07:17:49 fw snort[31035]: IDS029 - SCAN-Possible Queso Fingerprint
> > attempt: [our-server-ip]:50479 -> [victim-ip2]:25
> > Mar  8 07:17:51 fw snort[31035]: spp_portscan: portscan status from
> > [our-server-ip]: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Mar  8 07:17:55 fw snort[31035]: spp_portscan: End of portscan from
> > [our-server-ip]: TOTAL time(6s) hosts(1) TCP(2) UDP(0) STEALTH
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> >
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein




More information about the Snort-users mailing list