[Snort-users] am i scanning other ip's?

James Hoagland hoagland at ...47...
Mon Dec 9 10:01:10 EST 2002


Alfredo,

At 10:36 AM +0100 12/9/02, Alfredo D wrote:
>
>
>hi. First of all excuse my english
>
>i'm new to snort, but i installed a Mandrake Firewall that uses it, 
>and looking in logs i found this in portscan.log
>it seems like my computer is doing portscans to other ip's. right?
>what is SYN ******S*?
>the ports 61XXX?
>i installed the computer two days ago. is being hacked?
>

What you show here looks like normal web surfing to me; port 80 
traffic mixed with UDP DNS traffic.  Timing seems about right.  One 
of the IPs listed resolves to Google even.

It looks like you need to turn down the sensitivity of the portscan detector.

Kind regards,

   Jim

>Jan 1 10:05:18 [my own ip]:61591 -> 216.239.39.101:80 SYN ******S*
>Jan 1 10:05:20 [my own ip]:61593 -> 66.35.229.200:80 SYN ******S*
>Jan 1 10:05:40 [my own ip]:61594 -> 64.70.54.43:80 SYN ******S*
>Jan 1 10:05:44 [my own ip]:61596 -> 216.239.39.101:80 SYN ******S*
>Jan 1 10:05:47 [my own ip]:61597 -> [isp dns]:53 UDP
>Jan 1 10:05:48 [my own ip]:61598 -> [isp dns]:53 UDP
>Jan 1 10:05:48 [my own ip]:61597 -> [isp dns]:53 UDP
>Jan 1 10:05:48 [my own ip]:61599 -> 64.152.64.67:80 SYN ******S*
>Jan 1 10:05:59 [my own ip]:61600 -> 216.239.39.101:80 SYN ******S*
>Jan 1 10:06:00 [my own ip]:61601 -> 64.152.64.67:80 SYN ******S*
>Jan 1 10:06:10 [my own ip]:61602 -> 216.239.39.101:80 SYN ******S*
>Jan 1 10:06:17 [my own ip]:61603 -> [isp dns]:53 UDP
>Jan 1 10:06:18 [my own ip]:61603 -> [isp dns]:53 UDP
>Jan 1 10:06:19 [my own ip]:61604 -> [isp dns]:53 UDP
>Jan 1 10:06:19 [my own ip]:61603 -> [isp dns]:53 UDP
>Jan 1 10:06:20 [my own ip]:61606 -> 63.209.80.228:80 SYN ******S*
>Jan 1 10:06:23 [my own ip]:61607 -> 63.209.80.244:80 SYN ******S*
>Jan 1 10:06:23 [my own ip]:61608 -> 63.209.80.244:80 SYN ******S*
>Jan 1 10:06:23 [my own ip]:61609 -> 63.209.80.229:80 SYN ******S*


-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list