[Snort-users] Web servers scanning clients!!!

Matt Kettler mkettler at ...4108...
Thu Dec 26 17:00:02 EST 2002


Actually, note that those are ack-syn packets from their port 80 to ports 
in the "client" range on your system.

You're the one "scanning" them.

In this case your web browser is rapidly opening connections to download a 
large number of small images in the page. Each successive connection gets a 
different source-port on your side, and the responses look like a portscan 
to the portscan2 preprocessor.

I too have this problem with portscan2 since I enabled it. It seems that 
some awareness of the outbound syn packets from your home_net should be 
present to keep this from false-alerting, but it doesn't seem to be present 
in snort 1.9.0. (this could also be a config bug on my part, and Farzin's too)

Is this a known-bug or is there some way to tell the portscan2 preprocessor 
how to properly understand large bursts of outbound client connections from 
HOME_NET?



At 04:15 PM 12/26/2002 -0800, Farzin wrote:
>Hi All,
>
>Looking at my snort logs, I see that when a user
>access some sites such as
>http://www.nationalenquirer.com (38.144.52.102), the
>server turns around and scan about 21 ports on the
>client. Does anyone know why this is? below is the
>log:
>
>[**] [117:1:1] (spp_portscan2) Portscan detected from
>38.144.52.102: 1 targets 21 ports in 2 seconds [**]
>12/26-14:31:33.546312 38.144.52.102:80 -> MY.IP:34189
>TCP TTL:236 TOS:0x0 ID:5084 IpLen:20 DgmLen:64 DF
>***A**S* Seq: 0x4613D2D4  Ack: 0xF07A44E3  Win: 0x2798
>  TcpLen: 44
>TCP Options (9) => NOP NOP TS: 1229213631 743607218
>NOP WS: 0
>TCP Options => NOP NOP SackOK MSS: 1460
>
>[**] [117:1:1] (spp_portscan2) Portscan detected from
>38.144.52.102: 1 targets 21 ports in 2 seconds [**]
>12/26-14:31:59.919274 38.144.52.102:80 -> MY.IP:34227
>TCP TTL:236 TOS:0x0 ID:5279 IpLen:20 DgmLen:64 DF
>***A**S* Seq: 0x49DDC83A  Ack: 0xF12A7099  Win: 0x2798
>  TcpLen: 44
>TCP Options (9) => NOP NOP TS: 1229216268 743609855
>NOP WS: 0
>TCP Options => NOP NOP SackOK MSS: 1460
>
>
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34189 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34191 tgts: 1 ports: 22 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34192 tgts: 1 ports: 23 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34193 tgts: 1 ports: 24 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34194 tgts: 1 ports: 25 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34195 tgts: 1 ports: 26 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34196 tgts: 1 ports: 27 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34197 tgts: 1 ports: 28 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34198 tgts: 1 ports: 29 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34199 tgts: 1 ports: 30 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34200 tgts: 1 ports: 31 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34201 tgts: 1 ports: 32 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34202 tgts: 1 ports: 33 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34203 tgts: 1 ports: 34 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34204 tgts: 1 ports: 35 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34205 tgts: 1 ports: 36 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34206 tgts: 1 ports: 37 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34207 tgts: 1 ports: 38 flags: ***A**S* event_id: 204
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34227 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34228 tgts: 1 ports: 22 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34229 tgts: 1 ports: 23 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34230 tgts: 1 ports: 24 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34231 tgts: 1 ports: 25 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34232 tgts: 1 ports: 26 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34233 tgts: 1 ports: 27 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34235 tgts: 1 ports: 28 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34236 tgts: 1 ports: 29 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34237 tgts: 1 ports: 30 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34238 tgts: 1 ports: 31 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34239 tgts: 1 ports: 32 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34240 tgts: 1 ports: 33 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34241 tgts: 1 ports: 34 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34242 tgts: 1 ports: 35 flags: ***A**S* event_id: 213
>TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>34243 tgts: 1 ports: 36 flags: ***A**S* event_id: 213
>
>Thanks in advance,
>
>
>__________________________________________________
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
>http://mailplus.yahoo.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list