[Snort-users] am i scanning other ip's?

Matt Kettler mkettler at ...4108...
Mon Dec 9 11:02:06 EST 2002

No, you just have your HOME_NET set as any and the portscan processor is 
acting accordingly. IF you want to use HOME_NET as any, do not use HOME_NET 
in your portscan preprocessor line in snort.conf. You'll False Positive 
like mad.

All the port 80 traffic is you connecting to websites
all the port 53 traffic is you performing DNS lookups.

This is the line of snort.conf that is hurting you:

preprocessor portscan: $HOME_NET 4 3 portscan.log

So any time any machine connects to any more than 4 machines in HOME_NET 
within 3 seconds, the portscan processor goes off.

Of course, if you're looking at your outbound traffic, it's very easy for 
your home machine to connect to 4 external machines in 3 seconds.. in 
fact.. it's normal.

At 10:36 AM 12/9/2002 +0100, you wrote:
>hi. First of all excuse my english
>i'm new to snort, but i installed a Mandrake Firewall that uses it, and 
>looking in logs i found this in portscan.log
>it seems like my computer is doing portscans to other ip's. right?
>what is SYN ******S*?
>the ports 61XXX?
>i installed the computer two days ago. is being hacked?
>Jan 1 10:05:18 [my own ip]:61591 -> SYN ******S*
>Jan 1 10:05:20 [my own ip]:61593 -> SYN ******S*
>Jan 1 10:05:40 [my own ip]:61594 -> SYN ******S*
>Jan 1 10:05:44 [my own ip]:61596 -> SYN ******S*
>Jan 1 10:05:47 [my own ip]:61597 -> [isp dns]:53 UDP
>Jan 1 10:05:48 [my own ip]:61598 -> [isp dns]:53 UDP
>Jan 1 10:05:48 [my own ip]:61597 -> [isp dns]:53 UDP
>Jan 1 10:05:48 [my own ip]:61599 -> SYN ******S*
>Jan 1 10:05:59 [my own ip]:61600 -> SYN ******S*
>Jan 1 10:06:00 [my own ip]:61601 -> SYN ******S*
>Jan 1 10:06:10 [my own ip]:61602 -> SYN ******S*
>Jan 1 10:06:17 [my own ip]:61603 -> [isp dns]:53 UDP
>Jan 1 10:06:18 [my own ip]:61603 -> [isp dns]:53 UDP
>Jan 1 10:06:19 [my own ip]:61604 -> [isp dns]:53 UDP
>Jan 1 10:06:19 [my own ip]:61603 -> [isp dns]:53 UDP
>Jan 1 10:06:20 [my own ip]:61606 -> SYN ******S*
>Jan 1 10:06:23 [my own ip]:61607 -> SYN ******S*
>Jan 1 10:06:23 [my own ip]:61608 -> SYN ******S*
>Jan 1 10:06:23 [my own ip]:61609 -> SYN ******S*

More information about the Snort-users mailing list