[Snort-users] RE: Help with pass rule
erek at ...577...
Thu Aug 29 17:48:03 EDT 2002
On Fri, 30 Aug 2002 francisv at ...6732... wrote:
> Here's some alerts. Notice that the scans are originating from outside my
> servers' network ($SERVERS_NET). $SERVERS_NET is a subnet inside $HOME_NET
> while $EXTERNAL_NET is any network/IP not belonging to $HOME_NET.
> Generated by ACID v0.9.6b21 on Fri August 30, 2002 08:26:41
Ok. That helped a lot. Thanks!
This is the rule that's firing that alert:
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\)
attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;)
Ok, What this translates into is "A tcp packet on port 8080, with only the SYN
flag set, coming from EXTERNAL_NET into HOME_NET". From what I understand of
your layout, this is right. The alerts you sent were from outside of the
range of your SERVERS_NET, which is a subnet of HOME_NET. That's why it's
firing off. From the looks of it, you _wouldn't_ want to ignore that traffic,
as it does seem to be a SYN scan for open proxies.
And if I'm wrong, or missing something, feel free to correct me. :)
More information about the Snort-users