[Snort-users] portscan log...

Edwin Pua edwin1118 at ...125...
Wed Jan 30 22:46:03 EST 2002


Hi Joe,

ok thanx for the explanation..but how am i gonna know that he was already 
connected to my tcp port? or i was being attacked/hacked by this source ip? 
i'm using the default rules in my snort box.

rgds,
edwin


>From: Joe McAlerney <joey at ...47...>
>To: Edwin Pua <edwin1118 at ...125...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] portscan log...
>Date: Wed, 30 Jan 2002 18:34:13 -0800
>
>Hi Edwin,
>
>It means the portscanner used TCP packets with only the SYN bit set.
>These packets are used to initiate TCP connections.  The person is
>presumably looking for TCP services running on your box.
>
>For more information on the portscan plugin, take a look at:
>
>http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.4.3
>
>-Joe M.
>
>--
>Joe McAlerney
>Software Developer / Security Consultant
>joey at ...47...
>Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/
>
>Edwin Pua wrote:
> >
> > Hi,
> >
> >       I saw this message under my portscan.log file and I know that this
> > source ip 137.132.83.218 is scanning my ip 211.156.185.143 but what is
> > SYN*****S* means?
> >
> > Jan 29 18:52:34 137.132.83.218:1999 -> 211.156.185.143:3372 SYN ******S*
> > Jan 29 18:52:34 137.132.83.218:2000 -> 211.156.185.143:3373 SYN ******S*
> > Jan 29 18:52:35 137.132.83.218:2003 -> 211.156.185.143:3376 SYN ******S*
> > Jan 29 18:52:36 137.132.83.218:2004 -> 211.166.185.143:3377 SYN ******S*
> > Jan 29 18:52:36 137.132.83.218:2005 -> 211.166.185.143:3378 SYN ******S*
> > Jan 29 18:52:37 137.132.83.218:2006 -> 211.166.185.143:3379 SYN ******S*
> > Jan 29 18:52:37 137.132.83.218:2007 -> 211.166.185.143:3380 SYN ******S*
> > Jan 29 18:52:38 137.132.83.218:2008 -> 211.166.185.143:3381 SYN ******S*
> > Jan 29 18:52:38 137.132.83.218:2010 -> 211.166.185.143:3383 SYN ******S*
> > Jan 29 18:52:39 137.132.83.218:2011 -> 211.166.185.143:3384 SYN ******S*
> > Jan 29 18:52:39 137.132.83.218:2012 -> 211.166.185.143:3385 SYN ******S*
> > Jan 29 18:52:40 137.132.83.218:2014 -> 211.166.185.143:3387 SYN ******S*
> >
> > rgds,
> > edwin
> >
> > _________________________________________________________________
> > Chat with friends online, try MSN Messenger: http://messenger.msn.com
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com





More information about the Snort-users mailing list