[Snort-users] Portscan from own interface

John Berkers berjo at ...827...
Wed May 16 08:48:02 EDT 2001


Depending on the type of firewall being used, and whether it proxies HTTP
traffic, traffic that is passing through the firewall may in fact look like
it is originating at the firewall.

As for anti-spoofing, this again depends on your firewall software.

In firewall-1 you need to edit the network object in question (a firewall),
and specify valid addresses for each of the interfaces.  There is a standard
set of choices: All, Other, Other + Specify extra, selected addresses.

Other actually refers to addresses on the other interfaces, eg. you should
not expect to see traffic that belongs on the network of interface 1 on the
network connected to interface 2.

Have a look through your firewall documentation for more information.

If you are trying to set up anti-spoofing on a Linux box, using IPChains or
IPTables the simplest thing would be to drop all traffic on eth0 that should
only be arriving on eth1 and vice versa.

Hope I didn't lose anyone there.

John

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Subba Rao
Sent: Wednesday, 16 May 2001 15:38
To: Midnight shadow
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Portscan from own interface


On  0, Midnight shadow <p.selder at ...2006...> wrote:
>
> I noticed someting stange in the snort-log file. I got a portscan from the
> external interface from my firewall. Normally the offending hosts is
logged,
> but now my external ip is listed.
>
> What can be the cause? Spoofing of some kind?
> The next line are only a few from the messages log.
>
> May 10 09:01:01 proxy snort[17307]: spp_portscan: portscan status from
> x.x.x.x: 2 connections across 2 hosts: TCP(1), UDP(1)
> May 10 09:01:05 proxy snort[17307]: spp_portscan: portscan status from
> x.x.x.x: 1 connections across 1 hosts: TCP(0), UDP(1)
> May 10 09:01:15 proxy last message repeated 2 times
>
> x.x.x.x is the ip of the external interface.
> I'm running snort 1.8 beta on redhat 7.0 i386
>

I am seeing similar messages in my snort logs. I hope it is only spoofing
and
not that my machine has been compromised.

[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1
hosts: TCP(1), UDP(0) [**]
05/16-05:19:37.397711

How can I set up anti-spoofing controls on my machine?

TIA.

--

Subba Rao
subba9 at ...530...
http://members.home.net/subba9/

GPG public key ID 27FC9217

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list