[Snort-users] RV: portscan

Petriz, Pablo ppetriz at ...3815...
Mon Jun 3 08:02:05 EDT 2002


I'm not using Nessus right now.
I wonder if the originator PC is infected with some worm 
that generates that traffic...

PABLO

> -----Mensaje original-----
> De: Hugo Ferr [mailto:snortgrp at ...125...]
> Enviado el: viernes 31 de mayo de 2002 04:05
> Para: Petriz, Pablo; snort-users at lists.sourceforge.net
> Asunto: Re: [Snort-users] RV: portscan
> 
> 
> SYN and VECNA entries.....I've seen them a lot when I was 
> doing Nessus scans
> from inside my network to outside.
> Do you have Nessus running on your network?
> ----- Original Message -----
> From: "Petriz, Pablo" <ppetriz at ...3815...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Friday, May 31, 2002 2:04 PM
> Subject: [Snort-users] RV: portscan
> 
> 
> > Please. Can someone answer this?
> > Tell me if you need more info.
> > TIA
> >
> > PABLO
> >
> > > -----Mensaje original-----
> > > De: Petriz, Pablo
> > > Enviado el: jueves 30 de mayo de 2002 04:40
> > > Para: 'snort-users at lists.sourceforge.net'
> > > Asunto: portscan
> > >
> > >
> > > Hello list!
> > > My Snort 1.8.6 (RH 7.2)is monitoring a DMZ between 2 
> private networks.
> > > At DMZ we have Apache + SCO Tarantella and a MS Terminal Server
> > > to share an application. I have various connections working well
> > > and today we were bringing up a new connection when Snort detects
> > > a portscan from the PC (Win98) we were working. The bring up job
> > > consists on pointing the browser to the site at the DMZ 
> and then login
> > > to Tarantella, so what can be the cause of the portscan 
> from that PC?
> > > portscan.log shows entries to port 80 (apache)and 3144 
> (tarantella)
> > > Here are the alert and portscan.log files.
> > > Thank you!!!
> > >
> > > PABLO
> > >
> > > alert
> > > =====
> > > [**] [100:1:1]  <eth1> spp_portscan: PORTSCAN DETECTED on
> > > eth1 to port 80 from x.x.x.x (STEALTH) [**]
> > > 05/30-13:21:40.010817
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> > > 05/30-13:22:41.428323
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:22:47.311326
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> > > 05/30-13:25:19.802265
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**]
> > > 05/30-13:29:04.070375
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:30:36.666846
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:30:40.024516
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> > > 05/30-13:30:44.383457
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:34:34.340470
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:35:06.263163
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:35:16.842867
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:35:35.662691
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> > > 05/30-13:37:11.728234
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:37:58.647353
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**]
> > > 05/30-13:38:10.834317
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:39:09.880222
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:39:31.116911
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:39:51.451081
> > > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > > 05/30-13:44:02.704023
> > > [**] [100:3:1]  <eth1> spp_portscan: End of portscan from
> > > x.x.x.x: TOTAL time(1093s) hosts(1) TCP(24) UDP(0) STEALTH [**]
> > > 05/30-13:44:07.835669
> > >
> > > portscan.log
> > > ============
> > > May 30 13:22:41 x.x.x.x:1099 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:21:39 x.x.x.x:1097 -> y.y.y.y:80 VECNA 1***P**F
> > > May 30 13:22:47 x.x.x.x:1100 -> y.y.y.y:3144 SYN ******S*
> > > May 30 13:25:19 x.x.x.x:1102 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:22:49 x.x.x.x:1101 -> y.y.y.y:80 NOACK *****RSF
> > > May 30 13:25:20 x.x.x.x:1103 -> y.y.y.y:3144 SYN ******S*
> > > May 30 13:29:04 x.x.x.x:1104 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:30:36 x.x.x.x:1106 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:30:40 x.x.x.x:1107 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:30:44 x.x.x.x:1106 -> y.y.y.y:80 NOACK ****P*S*
> > > May 30 13:30:43 x.x.x.x:1107 -> y.y.y.y:80 VECNA 12U*****
> > > May 30 13:34:34 x.x.x.x:1112 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:35:06 x.x.x.x:1115 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:35:16 x.x.x.x:1116 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:35:35 x.x.x.x:1118 -> y.y.y.y:3144 SYN ******S*
> > > May 30 13:35:36 x.x.x.x:1116 -> y.y.y.y:80 VECNA **U*****
> > > May 30 13:37:11 x.x.x.x:1121 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:37:58 x.x.x.x:1125 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:37:59 x.x.x.x:1126 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:38:10 x.x.x.x:1128 -> y.y.y.y:3144 SYN ******S*
> > > May 30 13:39:09 x.x.x.x:1130 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:39:31 x.x.x.x:1131 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:39:51 x.x.x.x:1135 -> y.y.y.y:80 SYN ******S*
> > > May 30 13:39:52 x.x.x.x:1137 -> y.y.y.y:80 SYN ******S*
> >
> > _______________________________________________________________
> >
> > Don't miss the 2002 Sprint PCS Application Developer's Conference
> > August 25-28 in Las Vegas -- 
> http://devcon.sprintpcs.com/adp/index.cfm
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 




More information about the Snort-users mailing list