[Snort-users] portscan

Petriz, Pablo ppetriz at ...3815...
Thu May 30 13:01:02 EDT 2002


Hello list!
My Snort 1.8.6 (RH 7.2)is monitoring a DMZ between 2 private networks.
At DMZ we have Apache + SCO Tarantella and a MS Terminal Server 
to share an application. I have various connections working well
and today we were bringing up a new connection when Snort detects
a portscan from the PC (Win98) we were working. The bring up job 
consists on pointing the browser to the site at the DMZ and then login
to Tarantella, so what can be the cause of the portscan from that PC?
portscan.log shows entries to port 80 (apache)and 3144 (tarantella)
Here are the alert and portscan.log files. 
Thank you!!!

PABLO

alert
=====
[**] [100:1:1]  <eth1> spp_portscan: PORTSCAN DETECTED on eth1 to port 80
from x.x.x.x (STEALTH) [**]
05/30-13:21:40.010817 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 2
connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
05/30-13:22:41.428323 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:22:47.311326 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 2
connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
05/30-13:25:19.802265 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 2
connections across 1 hosts: TCP(2), UDP(0) [**]
05/30-13:29:04.070375 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:30:36.666846 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:30:40.024516 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 2
connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
05/30-13:30:44.383457 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:34:34.340470 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:35:06.263163 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:35:16.842867 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:35:35.662691 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 2
connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
05/30-13:37:11.728234 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:37:58.647353 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 2
connections across 1 hosts: TCP(2), UDP(0) [**]
05/30-13:38:10.834317 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:39:09.880222 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:39:31.116911 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:39:51.451081 
[**] [100:2:1]  <eth1> spp_portscan: portscan status from x.x.x.x: 1
connections across 1 hosts: TCP(1), UDP(0) [**]
05/30-13:44:02.704023 
[**] [100:3:1]  <eth1> spp_portscan: End of portscan from x.x.x.x: TOTAL
time(1093s) hosts(1) TCP(24) UDP(0) STEALTH [**]
05/30-13:44:07.835669 

portscan.log
============
May 30 13:22:41 x.x.x.x:1099 -> y.y.y.y:80 SYN ******S* 
May 30 13:21:39 x.x.x.x:1097 -> y.y.y.y:80 VECNA 1***P**F 
May 30 13:22:47 x.x.x.x:1100 -> y.y.y.y:3144 SYN ******S* 
May 30 13:25:19 x.x.x.x:1102 -> y.y.y.y:80 SYN ******S* 
May 30 13:22:49 x.x.x.x:1101 -> y.y.y.y:80 NOACK *****RSF 
May 30 13:25:20 x.x.x.x:1103 -> y.y.y.y:3144 SYN ******S* 
May 30 13:29:04 x.x.x.x:1104 -> y.y.y.y:80 SYN ******S* 
May 30 13:30:36 x.x.x.x:1106 -> y.y.y.y:80 SYN ******S* 
May 30 13:30:40 x.x.x.x:1107 -> y.y.y.y:80 SYN ******S* 
May 30 13:30:44 x.x.x.x:1106 -> y.y.y.y:80 NOACK ****P*S* 
May 30 13:30:43 x.x.x.x:1107 -> y.y.y.y:80 VECNA 12U***** 
May 30 13:34:34 x.x.x.x:1112 -> y.y.y.y:80 SYN ******S* 
May 30 13:35:06 x.x.x.x:1115 -> y.y.y.y:80 SYN ******S* 
May 30 13:35:16 x.x.x.x:1116 -> y.y.y.y:80 SYN ******S* 
May 30 13:35:35 x.x.x.x:1118 -> y.y.y.y:3144 SYN ******S* 
May 30 13:35:36 x.x.x.x:1116 -> y.y.y.y:80 VECNA **U***** 
May 30 13:37:11 x.x.x.x:1121 -> y.y.y.y:80 SYN ******S* 
May 30 13:37:58 x.x.x.x:1125 -> y.y.y.y:80 SYN ******S* 
May 30 13:37:59 x.x.x.x:1126 -> y.y.y.y:80 SYN ******S* 
May 30 13:38:10 x.x.x.x:1128 -> y.y.y.y:3144 SYN ******S* 
May 30 13:39:09 x.x.x.x:1130 -> y.y.y.y:80 SYN ******S* 
May 30 13:39:31 x.x.x.x:1131 -> y.y.y.y:80 SYN ******S* 
May 30 13:39:51 x.x.x.x:1135 -> y.y.y.y:80 SYN ******S* 
May 30 13:39:52 x.x.x.x:1137 -> y.y.y.y:80 SYN ******S* 




More information about the Snort-users mailing list