[Snort-users] 17203 portscan alerts in 23 hours from same IP
mkettler at ...4108...
Wed Jul 10 13:36:04 EDT 2002
Perhaps the citibank webpage has a gif-image which reloads at regular
intervals? In that case all she'd need to do is leave the browser open, and
those kinds of reloading images are pretty common.
It strikes me as highly absurd to consider reset/fin packets coming from
port 80 on a valid webserver to be a portscan of any sort. Sure webservers
get knocked over and used to attack others sometimes, but very rarely do
those scans originate from port 80 (since they'd have to shut the webserver
down) and rarely do they consist of ARF ("close connection and stop talking
to me, don't even acknowledge the close") type packets at regular intervals
to normal client ports. ARF isn't exactly a very useful combination of
flags for portscanning AFAIK.
I think the appropriate question to ask here is "why was my user's machine
trying to contact citibank's website so frequently" rather than "why was
citibank scanning me", and I think the answer is that someone had a couple
of pages with self-refreshing images open and left the browser running.
At 02:54 PM 7/10/2002 -0400, Jon Quiros wrote:
>someone that replied off-list wrote this:
>"Looks to me like your source and dest IPs are showing up backwards. It is
>not a scan, but merely the random source port 1024 incrementing with each
>connection. Your end user must be doing a lot of on-line banking with
>Citibank I would say."
>This would make perfect sense to me, except i can't envision her staying
>over night doing online banking stuff, or any program running in the
>bkgrnd following the same pattern over and over again
More information about the Snort-users