[Snort-users] 17203 portscan alerts in 23 hours from same IP

Jon Quiros sysadmin at ...6132...
Wed Jul 10 11:55:08 EDT 2002


someone that replied off-list wrote this:

"Looks to me like your source and dest IPs are showing up backwards. It is not a scan, but merely the random source port 1024 incrementing with each connection. Your end user must be doing a lot of on-line banking with Citibank I would say."

This would make perfect sense to me, except i can't envision her staying over night doing online banking stuff, or any program running in the bkgrnd following the same pattern over and over again

Jon Q

>Snort 1.8.6 (Build 105) to MySQL on darwin- using ACID.
>
>
>I've gotten used to seeing portscans lasting from a few seconds
>to a few minutes, and from *transient* IP's unlike
> 192.193.195.132(one of citigroup's web servers, compromised?).
>All activity is from port 80 and looks like it's scanning
>several ports between 1951 and 2014, over and over again.  I
>know the person on the scanned machine uses yahoo me$$@#%r on
>occasion but I'd never seen this raised before.  so if this is
>not a false positive would it look like more of a targetted
>scan?
>
>I'm guessing this might be something to NOT be concerned with,
>but I'd like to learn more about it so if you can share some
>info or insight about it that'' help me see the larger picture
>I'd appreciate and benefit from it.
>
>Thank you!
>Jon Q
>
>part of portscan.log
>=====
>Jul  9 10:09:48 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK ***A*R*F 
>Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK ***A*R*F 
>Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK ***A*R*F 
>Jul  9 10:11:11 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK ***A*R*F 
>Jul  9 10:11:24 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK ***A*R*F 
>Jul  9 10:11:25 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK ***A*R*F 
>Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK ***A*R*F 
>Jul  9 10:11:27 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK ***A*R*F 
>Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK ***A*R*F 
>Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK ***A*R*F 
>Jul  9 10:11:28 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK ***A*R*F 
>Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK ***A*R*F 
>Jul  9 10:11:29 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK ***A*R*F 
>Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK ***A*R*F 
>Jul  9 10:11:30 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK ***A*R*F 
>Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK ***A*R*F 
>Jul  9 10:11:32 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK ***A*R*F 
>Jul  9 10:11:34 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK ***A*R*F 
>Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK ***A*R*F 
>Jul  9 10:11:35 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK ***A*R*F 
>Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK ***A*R*F 
>Jul  9 10:11:38 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK ***A*R*F 
>Jul  9 10:11:40 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK ***A*R*F 
>Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK ***A*R*F 
>Jul  9 10:11:43 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK ***A*R*F 
>Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK ***A*R*F 
>Jul  9 10:11:44 192.193.195.132:80 -> one.of.my.users:1951 INVALIDACK ***A*R*F 
>Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1955 INVALIDACK ***A*R*F 
>Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1956 INVALIDACK ***A*R*F 
>Jul  9 10:13:07 192.193.195.132:80 -> one.of.my.users:1959 INVALIDACK ***A*R*F 
>Jul  9 10:13:20 192.193.195.132:80 -> one.of.my.users:1973 INVALIDACK ***A*R*F 
>Jul  9 10:13:21 192.193.195.132:80 -> one.of.my.users:1975 INVALIDACK ***A*R*F 
>Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1976 INVALIDACK ***A*R*F 
>Jul  9 10:13:23 192.193.195.132:80 -> one.of.my.users:1978 INVALIDACK ***A*R*F 
>Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1980 INVALIDACK ***A*R*F 
>Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1982 INVALIDACK ***A*R*F 
>Jul  9 10:13:24 192.193.195.132:80 -> one.of.my.users:1983 INVALIDACK ***A*R*F 
>Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1984 INVALIDACK ***A*R*F 
>Jul  9 10:13:25 192.193.195.132:80 -> one.of.my.users:1985 INVALIDACK ***A*R*F 
>Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1987 INVALIDACK ***A*R*F 
>Jul  9 10:13:26 192.193.195.132:80 -> one.of.my.users:1986 INVALIDACK ***A*R*F 
>Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1988 INVALIDACK ***A*R*F 
>Jul  9 10:13:28 192.193.195.132:80 -> one.of.my.users:1991 INVALIDACK ***A*R*F 
>Jul  9 10:13:30 192.193.195.132:80 -> one.of.my.users:1994 INVALIDACK ***A*R*F 
>Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1997 INVALIDACK ***A*R*F 
>Jul  9 10:13:31 192.193.195.132:80 -> one.of.my.users:1998 INVALIDACK ***A*R*F 
>Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:1999 INVALIDACK ***A*R*F 
>Jul  9 10:13:34 192.193.195.132:80 -> one.of.my.users:2000 INVALIDACK ***A*R*F 
>Jul  9 10:13:36 192.193.195.132:80 -> one.of.my.users:2002 INVALIDACK ***A*R*F 
>Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2011 INVALIDACK ***A*R*F 
>Jul  9 10:13:39 192.193.195.132:80 -> one.of.my.users:2012 INVALIDACK ***A*R*F 
>Jul  9 10:13:40 192.193.195.132:80 -> one.of.my.users:2014 INVALIDACK ***A*R*F 
>=====








More information about the Snort-users mailing list