[Snort-users] Web servers scanning clients!!!

Jason security at ...5028...
Thu Dec 26 17:16:10 EST 2002


Curious,

what is your config like?

specifically,

targets_max
target_limit
port_limit

is it a case where you have more hosts on your net than targets_max is 
set to?

Jason

Matt Kettler wrote:
> Actually, note that those are ack-syn packets from their port 80 to 
> ports in the "client" range on your system.
> 
> You're the one "scanning" them.
> 
> In this case your web browser is rapidly opening connections to download 
> a large number of small images in the page. Each successive connection 
> gets a different source-port on your side, and the responses look like a 
> portscan to the portscan2 preprocessor.
> 
> I too have this problem with portscan2 since I enabled it. It seems that 
> some awareness of the outbound syn packets from your home_net should be 
> present to keep this from false-alerting, but it doesn't seem to be 
> present in snort 1.9.0. (this could also be a config bug on my part, and 
> Farzin's too)
> 
> Is this a known-bug or is there some way to tell the portscan2 
> preprocessor how to properly understand large bursts of outbound client 
> connections from HOME_NET?
> 
> 
> 
> At 04:15 PM 12/26/2002 -0800, Farzin wrote:
> 
>> Hi All,
>>
>> Looking at my snort logs, I see that when a user
>> access some sites such as
>> http://www.nationalenquirer.com (38.144.52.102), the
>> server turns around and scan about 21 ports on the
>> client. Does anyone know why this is? below is the
>> log:
>>
>> [**] [117:1:1] (spp_portscan2) Portscan detected from
>> 38.144.52.102: 1 targets 21 ports in 2 seconds [**]
>> 12/26-14:31:33.546312 38.144.52.102:80 -> MY.IP:34189
>> TCP TTL:236 TOS:0x0 ID:5084 IpLen:20 DgmLen:64 DF
>> ***A**S* Seq: 0x4613D2D4  Ack: 0xF07A44E3  Win: 0x2798
>>  TcpLen: 44
>> TCP Options (9) => NOP NOP TS: 1229213631 743607218
>> NOP WS: 0
>> TCP Options => NOP NOP SackOK MSS: 1460
>>
>> [**] [117:1:1] (spp_portscan2) Portscan detected from
>> 38.144.52.102: 1 targets 21 ports in 2 seconds [**]
>> 12/26-14:31:59.919274 38.144.52.102:80 -> MY.IP:34227
>> TCP TTL:236 TOS:0x0 ID:5279 IpLen:20 DgmLen:64 DF
>> ***A**S* Seq: 0x49DDC83A  Ack: 0xF12A7099  Win: 0x2798
>>  TcpLen: 44
>> TCP Options (9) => NOP NOP TS: 1229216268 743609855
>> NOP WS: 0
>> TCP Options => NOP NOP SackOK MSS: 1460
>>
>>
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34189 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34191 tgts: 1 ports: 22 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34192 tgts: 1 ports: 23 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34193 tgts: 1 ports: 24 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34194 tgts: 1 ports: 25 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34195 tgts: 1 ports: 26 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34196 tgts: 1 ports: 27 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34197 tgts: 1 ports: 28 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34198 tgts: 1 ports: 29 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34199 tgts: 1 ports: 30 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34200 tgts: 1 ports: 31 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34201 tgts: 1 ports: 32 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34202 tgts: 1 ports: 33 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34203 tgts: 1 ports: 34 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34204 tgts: 1 ports: 35 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34205 tgts: 1 ports: 36 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34206 tgts: 1 ports: 37 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34207 tgts: 1 ports: 38 flags: ***A**S* event_id: 204
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34227 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34228 tgts: 1 ports: 22 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34229 tgts: 1 ports: 23 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34230 tgts: 1 ports: 24 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34231 tgts: 1 ports: 25 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34232 tgts: 1 ports: 26 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34233 tgts: 1 ports: 27 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34235 tgts: 1 ports: 28 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34236 tgts: 1 ports: 29 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34237 tgts: 1 ports: 30 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34238 tgts: 1 ports: 31 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34239 tgts: 1 ports: 32 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34240 tgts: 1 ports: 33 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34241 tgts: 1 ports: 34 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34242 tgts: 1 ports: 35 flags: ***A**S* event_id: 213
>> TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
>> 34243 tgts: 1 ports: 36 flags: ***A**S* event_id: 213
>>
>> Thanks in advance,
>>
>>
>> __________________________________________________
>> Do you Yahoo!?
>> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
>> http://mailplus.yahoo.com
>>
>>
>> -------------------------------------------------------
>> This sf.net email is sponsored by:ThinkGeek
>> Welcome to geek heaven.
>> http://thinkgeek.com/sf
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list