[Snort-users] 17203 portscan alerts in 23 hours from same IP

Matt Kettler mkettler at ...4108...
Wed Jul 10 13:36:04 EDT 2002

Perhaps the citibank webpage has a gif-image which reloads at regular 
intervals? In that case all she'd need to do is leave the browser open, and 
those kinds of reloading images are pretty common.

It strikes me as highly absurd to consider reset/fin packets coming from 
port 80 on a valid webserver to be a portscan of any sort. Sure webservers 
get knocked over and used to attack others sometimes, but very rarely do 
those scans originate from port 80 (since they'd have to shut the webserver 
down) and rarely do they consist of ARF ("close connection and stop talking 
to me, don't even acknowledge the close") type packets at regular intervals 
to normal client ports. ARF isn't exactly a very useful combination of 
flags for portscanning AFAIK.

I think the appropriate question to ask here is "why was my user's machine 
trying to contact citibank's website so frequently" rather than "why was 
citibank scanning me", and I think the answer is that someone had a couple 
of pages with self-refreshing images open and left the browser running.

At 02:54 PM 7/10/2002 -0400, Jon Quiros wrote:
>someone that replied off-list wrote this:
>"Looks to me like your source and dest IPs are showing up backwards. It is 
>not a scan, but merely the random source port 1024 incrementing with each 
>connection. Your end user must be doing a lot of on-line banking with 
>Citibank I would say."
>This would make perfect sense to me, except i can't envision her staying 
>over night doing online banking stuff, or any program running in the 
>bkgrnd following the same pattern over and over again
>Jon Q

More information about the Snort-users mailing list