[Snort-users] Web servers scanning clients!!!

Matt Kettler mkettler at ...4108...
Thu Dec 26 17:40:02 EST 2002


No, this is a port_limit exceeded issue, not a nubmer of targets issue. It 
doesn't matter how many machines are on my lan, or if the number of them is 
greater than targets_max. The number of targets in the alert is 1 :)

What spp_portscan is seeing is > port_limit syn-ack TCP packets from port 
80 on the webserver to changing local ports on a single client machine in 
HOME_NET.

If a webpage contains a few hundred small thumbnails of my vacation to the 
Bahamas (it's cold here right now, I like to think of warm places when it's 
cold) and you browse to that webpage, your web browser will successively 
download each image (actually it will download a few at a time in parallel 
but not all at once.. batches of 4-10 depending on the browser).

This successive loading will generate the following pattern of syns and 
syn-acks, assuming a windowsish client (It is the syn-acks, which are 
responses to legitimate traffic, that snort is alerting on.):

my_machine:1024 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
  (followed by the finishing of the handshake, transfer of data, and tear-down)

  (now the next image)
my_machine:1025 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
  (again, more packets for transfer and tear-down)

(and a third)
my_machine:1026 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(you get the idea..)


Now if the images are small and numerous in the page, and your internet 
connection is fast, and your browser doesn't suck, you can very easily have 
hundreds of connections per second.

I currently have my port_limit set to 60 and it's still going off.

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 
5, port_limit 60, timeout 20
preprocessor portscan2-ignorehosts: 192.168.50.0/24

And a sample alert, where xx.xx.xx.xx is an outside webserver, and 
yy.yy.yy.yy is a machine in my lan:

[**] [117:1:1] (spp_portscan2) Portscan detected from 12.130.91.21: 1 
targets 61 ports in 1 seconds [**]
12/26-02:00:56.467413 xx.xxx.xx.xx:80 -> yy.yy.yy.yy:3996
TCP TTL:50 TOS:0x0 ID:39515 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xA77BDB46  Ack: 0x7754F65D  Win: 0x62B8  TcpLen: 28
TCP Options (4) => NOP NOP SackOK MSS: 1404




At 08:17 PM 12/26/2002 -0500, Jason wrote:
>Curious,
>
>what is your config like?
>
>specifically,
>
>targets_max
>target_limit
>port_limit
>
>is it a case where you have more hosts on your net than targets_max is set to?
>
>Jason
>
>Matt Kettler wrote:
>>Actually, note that those are ack-syn packets from their port 80 to ports 
>>in the "client" range on your system.
>>You're the one "scanning" them.
>>In this case your web browser is rapidly opening connections to download 
>>a large number of small images in the page. Each successive connection 
>>gets a different source-port on your side, and the responses look like a 
>>portscan to the portscan2 preprocessor.
>>I too have this problem with portscan2 since I enabled it. It seems that 
>>some awareness of the outbound syn packets from your home_net should be 
>>present to keep this from false-alerting, but it doesn't seem to be 
>>present in snort 1.9.0. (this could also be a config bug on my part, and 
>>Farzin's too)
>>Is this a known-bug or is there some way to tell the portscan2 
>>preprocessor how to properly understand large bursts of outbound client 
>>connections from HOME_NET?





More information about the Snort-users mailing list