[Snort-users] is there anyway of stoping this?

Neil Dickey neil at ...1633...
Thu May 31 13:22:52 EDT 2001


"Ben Johansen" <benj at ...2026...> wrote asking:

>I have looked at whitehats.com and found not direct reference to this
>portscan
[ ... Snip ... ]
>Can it be stopped?
>Is there a hole I have missed?

Hello, Ben.  Welcome aboard.

These log traces are generated by the portscan preprocessor, not by one
of the rules in the ruleset.  It's been my experience that they are
generated by incoming TCP packets that have the so-called "reserved bits"
set.  You may know that TCP packets commonly have flags set, SYN, ACK, FIN,
and the like, to indicate what part they are playing in the TCP connection.
There are two bits left over after all the flags have been accomodated, and
these are the "reserved bits."

Having them set on incoming packets *may* be an indication of suspicious
behavior, but isn't *necessarily* so.  Some types of scans will set these
bits and see how your OS responds to them, for instance, as a means of
helping figure out exactly what OS it is you're running.  My own post of
an hour or so ago has an example of my web daemon apparently sending out
packets with the reserved bits set, and I can categorically state that this
is done in all innocence.

Can it be stopped?  No.  You can make the log trace go away by disabling
the portscan preprocessor, but I don't recommend that.  ;-)  Is there a
hole you have missed?  The fact that you are getting these entries doesn't
mean you have a hole in your defenses.  It may mean that someone is scanning
you to find out what you are and whether or not you might make a good target,
or it may mean nothing at all.

Keep an eye on the source IP of these alerts, and see if you can any patterns
develop.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list