[Snort-users] Web servers scanning clients!!!

Matt Kettler mkettler at ...4108...
Thu Dec 26 19:34:02 EST 2002

Ahh, so sorry, I interpreted you as asking intently about target_limit, not 
targets_max.. Which would, really, not matter :)

In any event both scanners_max, and targets_max are at least one order of 
magnitude greater than the total number of used IPs inside this network. 
(ie: there's less than 320 active systems/appliances with IP addresses here).

Even during quiescent hours when nobody else is here I can make the alerts 
fire. Like right now.. yes, there are a couple of servers here, including a 
DNS server, running amok, but the network is relatively quiet at the moment 
and I'm the only human at a computer or making any client systems do much. 
A short run of tcpdump on the snort box showed 52 packets in 19.5 seconds 
(while I was not browsing the web)

[**] [117:1:1] (spp_portscan2) Portscan detected from 1 
targets 61 ports in 7 seconds [**]
12/26-22:31:34.021685 -> xx.xx.xx.xx:1321
TCP TTL:45 TOS:0x0 ID:8401 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x685A5A64  Ack: 0xAA737BF0  Win: 0x7E24  TcpLen: 28
TCP Options (4) => MSS: 1404 NOP NOP SackOK

For this simple example I went to http://www.securityfocus.com/  in mozilla 
(1.2.1, win32), waited 30 seconds for the original connections to time-out 
(I have a 20 sec timeout set for portscan2), and did a shift-reload twice. 
Poof, instant alert from 61 connections in a mere 2 page loads. Given that 
the default is 20, I suspect one load would trigger that level.

At 10:10 PM 12/26/2002 -0500, Jason wrote:

>Matt Kettler wrote:
>>No, this is a port_limit exceeded issue, not a nubmer of targets issue. 
>>It doesn't matter how many machines are on my lan, or if the number of 
>>them is greater than targets_max. The number of targets in the alert is 1 :)
>Are you absolutely sure :-)
>I understand the situation completely. Questions are sometimes intended to 
>get information as much as they are intended to get a thought rolling.
>[snip rest]

More information about the Snort-users mailing list