[Snort-users] 17203 portscan alerts in 23 hours from same IP

Jon Quiros sysadmin at ...6132...
Wed Jul 10 08:50:05 EDT 2002


Snort 1.8.6 (Build 105) to MySQL on darwin- using ACID.


I've gotten used to seeing portscans lasting from a few seconds to a few minutes, and from *transient* IP's unlike 192.193.195.132 (one of citigroup's web servers, compromised?).
All activity is from port 80 and looks like it's scanning several ports between 1951 and 2014, over and over again.  I know the person on the scanned machine uses yahoo me$$@#%r on occasion but I'd never seen this raised before.  so if this is not a false positive would it look like more of a targetted scan?

I'm guessing this might be something to NOT be concerned with, but I'd like to learn more about it so if you can share some info or insight about it that'' help me see the larger picture I'd appreciate and benefit from it.

Thank you!
Jon Q

part of portscan.log
=====
Jul  9 10:09:48 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK ***A*R*F 
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK ***A*R*F 
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK ***A*R*F 
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK ***A*R*F 
Jul  9 10:11:24 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK ***A*R*F 
Jul  9 10:11:25 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK ***A*R*F 
Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK ***A*R*F 
Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK ***A*R*F 
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK ***A*R*F 
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK ***A*R*F 
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK ***A*R*F 
Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK ***A*R*F 
Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK ***A*R*F 
Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK ***A*R*F 
Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK ***A*R*F 
Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK ***A*R*F 
Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK ***A*R*F 
Jul  9 10:11:34 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK ***A*R*F 
Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK ***A*R*F 
Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK ***A*R*F 
Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK ***A*R*F 
Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK ***A*R*F 
Jul  9 10:11:40 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK ***A*R*F 
Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK ***A*R*F 
Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK ***A*R*F 
Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK ***A*R*F 
Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK ***A*R*F 
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK ***A*R*F 
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK ***A*R*F 
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK ***A*R*F 
Jul  9 10:13:20 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK ***A*R*F 
Jul  9 10:13:21 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK ***A*R*F 
Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK ***A*R*F 
Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK ***A*R*F 
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK ***A*R*F 
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK ***A*R*F 
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK ***A*R*F 
Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK ***A*R*F 
Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK ***A*R*F 
Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK ***A*R*F 
Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK ***A*R*F 
Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK ***A*R*F 
Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK ***A*R*F 
Jul  9 10:13:30 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK ***A*R*F 
Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK ***A*R*F 
Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK ***A*R*F 
Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK ***A*R*F 
Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK ***A*R*F 
Jul  9 10:13:36 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK ***A*R*F 
Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK ***A*R*F 
Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK ***A*R*F 
Jul  9 10:13:40 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK ***A*R*F 
=====






More information about the Snort-users mailing list