[Snort-users] RE: Help with pass rule

Erek Adams erek at ...577...
Thu Aug 29 17:48:03 EDT 2002


On Fri, 30 Aug 2002 francisv at ...6732... wrote:

> Here's some alerts. Notice that the scans are originating from outside my
> servers' network ($SERVERS_NET). $SERVERS_NET is a subnet inside $HOME_NET
> while $EXTERNAL_NET is any network/IP not belonging to $HOME_NET.
>
> Generated by ACID v0.9.6b21 on Fri August 30, 2002 08:26:41

[...snip...]

Ok.  That helped a lot.  Thanks!

This is the rule that's firing that alert:

  alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\)
  attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;)


Ok, What this translates into is "A tcp packet on port 8080, with only the SYN
flag set, coming from EXTERNAL_NET into HOME_NET".  From what I understand of
your layout, this is right.  The alerts you sent were from outside of the
range of your SERVERS_NET, which is a subnet of HOME_NET.  That's why it's
firing off.  From the looks of it, you _wouldn't_ want to ignore that traffic,
as it does seem to be a SYN scan for open proxies.

And if I'm wrong, or missing something, feel free to correct me.  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list