[Snort-users] (no subject)

Martin Roesch roesch at ...1935...
Tue Jan 8 20:16:10 EST 2002


You can turn this off by removing the "detect_scans" from the
"preprocessor stream4" directive in the snort.conf file.

     -Marty

Peter Charbonneau wrote:
> 
> Lets try this again ....
> 
> I also have a "local" installation on my XP workstation.  My local
> installation picked up the alerts below, but my IP address is NEITHER
> 148.63.230.175 nor 137.165.38.56.
> 
> The 1.7.x NIDS does not show the Vecna Scan - no rule for it;  I am on a
> totally switched network - my question is HOW IN THE HECK CAN MY HIDS SEE
> THIS SCAN?
> 
> I have googled "vecna scan" and haven't come up with anything of import.
> Can anyone point me in the right direction to solve this?
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:25:19.741535 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:5343 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:25:59.179763 148.63.230.175:2113 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:65197 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:26:05.589014 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:19737 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:26:12.408611 148.63.230.175:2053 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:36487 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0xF120700A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:27:05.304106 148.63.230.175:2113 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:56639 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:27:11.596751 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:7629 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:27:16.472016 148.63.230.175:2053 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:23699 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0xF120700A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:28:08.622985 148.63.230.175:2113 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:35911 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:28:15.073440 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:57099 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:28:20.945437 148.63.230.175:2053 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:8539 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0xF120700A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:29:10.365906 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:62989 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:29:12.687532 148.63.230.175:2113 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:1307 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:29:18.634989 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:30529 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:30:15.215808 148.63.230.175:2113 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:18431 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:30:16.428840 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:14973 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:30:21.724133 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:38547 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:31:18.268895 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:18147 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:31:19.167145 148.63.230.175:2113 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:20909 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0xFAE3760A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:31:25.719371 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:39671 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:32:22.207560 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:57997 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:32:29.765880 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:13131 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:33:28.357172 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:41075 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:33:36.270953 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:61835 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:34:30.446340 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:6295 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:34:39.058317 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:26603 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:35:36.313847 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:55721 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:35:41.710352 148.63.230.175:2187 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:9657 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x8482C0A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:36:38.339457 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:57215 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:37:42.341166 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:45717 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> [**] [111:11:1] spp_stream4: STEALTH ACTIVITY (Vecna scan) detection [**]
> 01/07/02-02:38:48.717381 148.63.230.175:2238 -> 137.165.38.56:1214
> TCP TTL:116 TOS:0x0 ID:14965 IpLen:20 DgmLen:349 DF
> ****P*** Seq: 0x1189500A  Ack: 0x0  Win: 0x2000  TcpLen: 20
> 
> PeteC
> 
> Peter Charbonneau
> Sr. Network and Systems Administrator
> Williams College
> (413) 597-3408 (desk)
> (413) 822-2922 (cell)
> (209) 391-9821 (fax)
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list