[Snort-users] 17203 portscan alerts in 23 hours from same IP

Ashley Thomas athomas at ...5484...
Wed Jul 10 09:01:05 EDT 2002


Src port 80 seems fishy , right ?
They might be trying to "hide" by using port 80 !

BTW does any one know if there can be a valid packet from src port 80 ->
dest port 53 ?



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jon Quiros
Sent: Wednesday, July 10, 2002 11:49 AM
To: Snort Users
Subject: [Snort-users] 17203 portscan alerts in 23 hours from same IP


Snort 1.8.6 (Build 105) to MySQL on darwin- using ACID.


I've gotten used to seeing portscans lasting from a few seconds to a few
minutes, and from *transient* IP's unlike 192.193.195.132 (one of
citigroup's web servers, compromised?).
All activity is from port 80 and looks like it's scanning several ports
between 1951 and 2014, over and over again.  I know the person on the
scanned machine uses yahoo me$$@#%r on occasion but I'd never seen this
raised before.  so if this is not a false positive would it look like more
of a targetted scan?

I'm guessing this might be something to NOT be concerned with, but I'd like
to learn more about it so if you can share some info or insight about it
that'' help me see the larger picture I'd appreciate and benefit from it.

Thank you!
Jon Q

part of portscan.log
=====
Jul  9 10:09:48 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK
***A*R*F
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK
***A*R*F
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK
***A*R*F
Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK
***A*R*F
Jul  9 10:11:24 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK
***A*R*F
Jul  9 10:11:25 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK
***A*R*F
Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK
***A*R*F
Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK
***A*R*F
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK
***A*R*F
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK
***A*R*F
Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK
***A*R*F
Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK
***A*R*F
Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK
***A*R*F
Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK
***A*R*F
Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK
***A*R*F
Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK
***A*R*F
Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK
***A*R*F
Jul  9 10:11:34 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK
***A*R*F
Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK
***A*R*F
Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK
***A*R*F
Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK
***A*R*F
Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK
***A*R*F
Jul  9 10:11:40 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK
***A*R*F
Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK
***A*R*F
Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK
***A*R*F
Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK
***A*R*F
Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK
***A*R*F
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK
***A*R*F
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK
***A*R*F
Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK
***A*R*F
Jul  9 10:13:20 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK
***A*R*F
Jul  9 10:13:21 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK
***A*R*F
Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK
***A*R*F
Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK
***A*R*F
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK
***A*R*F
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK
***A*R*F
Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK
***A*R*F
Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK
***A*R*F
Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK
***A*R*F
Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK
***A*R*F
Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK
***A*R*F
Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK
***A*R*F
Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK
***A*R*F
Jul  9 10:13:30 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK
***A*R*F
Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK
***A*R*F
Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK
***A*R*F
Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK
***A*R*F
Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK
***A*R*F
Jul  9 10:13:36 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK
***A*R*F
Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK
***A*R*F
Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK
***A*R*F
Jul  9 10:13:40 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK
***A*R*F
=====




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list





More information about the Snort-users mailing list