[Snort-users] RV: portscan

Petriz, Pablo ppetriz at ...3815...
Fri May 31 11:22:06 EDT 2002


Please. Can someone answer this?
Tell me if you need more info.
TIA

PABLO

> -----Mensaje original-----
> De: Petriz, Pablo 
> Enviado el: jueves 30 de mayo de 2002 04:40
> Para: 'snort-users at lists.sourceforge.net'
> Asunto: portscan
> 
> 
> Hello list!
> My Snort 1.8.6 (RH 7.2)is monitoring a DMZ between 2 private networks.
> At DMZ we have Apache + SCO Tarantella and a MS Terminal Server 
> to share an application. I have various connections working well
> and today we were bringing up a new connection when Snort detects
> a portscan from the PC (Win98) we were working. The bring up job 
> consists on pointing the browser to the site at the DMZ and then login
> to Tarantella, so what can be the cause of the portscan from that PC?
> portscan.log shows entries to port 80 (apache)and 3144 (tarantella)
> Here are the alert and portscan.log files. 
> Thank you!!!
> 
> PABLO
> 
> alert
> =====
> [**] [100:1:1]  <eth1> spp_portscan: PORTSCAN DETECTED on 
> eth1 to port 80 from x.x.x.x (STEALTH) [**]
> 05/30-13:21:40.010817 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> 05/30-13:22:41.428323 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:22:47.311326 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> 05/30-13:25:19.802265 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**]
> 05/30-13:29:04.070375 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:30:36.666846 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:30:40.024516 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> 05/30-13:30:44.383457 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:34:34.340470 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:35:06.263163 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:35:16.842867 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:35:35.662691 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> 05/30-13:37:11.728234 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:37:58.647353 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**]
> 05/30-13:38:10.834317 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:39:09.880222 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:39:31.116911 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:39:51.451081 
> [**] [100:2:1]  <eth1> spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 05/30-13:44:02.704023 
> [**] [100:3:1]  <eth1> spp_portscan: End of portscan from 
> x.x.x.x: TOTAL time(1093s) hosts(1) TCP(24) UDP(0) STEALTH [**]
> 05/30-13:44:07.835669 
> 
> portscan.log
> ============
> May 30 13:22:41 x.x.x.x:1099 -> y.y.y.y:80 SYN ******S* 
> May 30 13:21:39 x.x.x.x:1097 -> y.y.y.y:80 VECNA 1***P**F 
> May 30 13:22:47 x.x.x.x:1100 -> y.y.y.y:3144 SYN ******S* 
> May 30 13:25:19 x.x.x.x:1102 -> y.y.y.y:80 SYN ******S* 
> May 30 13:22:49 x.x.x.x:1101 -> y.y.y.y:80 NOACK *****RSF 
> May 30 13:25:20 x.x.x.x:1103 -> y.y.y.y:3144 SYN ******S* 
> May 30 13:29:04 x.x.x.x:1104 -> y.y.y.y:80 SYN ******S* 
> May 30 13:30:36 x.x.x.x:1106 -> y.y.y.y:80 SYN ******S* 
> May 30 13:30:40 x.x.x.x:1107 -> y.y.y.y:80 SYN ******S* 
> May 30 13:30:44 x.x.x.x:1106 -> y.y.y.y:80 NOACK ****P*S* 
> May 30 13:30:43 x.x.x.x:1107 -> y.y.y.y:80 VECNA 12U***** 
> May 30 13:34:34 x.x.x.x:1112 -> y.y.y.y:80 SYN ******S* 
> May 30 13:35:06 x.x.x.x:1115 -> y.y.y.y:80 SYN ******S* 
> May 30 13:35:16 x.x.x.x:1116 -> y.y.y.y:80 SYN ******S* 
> May 30 13:35:35 x.x.x.x:1118 -> y.y.y.y:3144 SYN ******S* 
> May 30 13:35:36 x.x.x.x:1116 -> y.y.y.y:80 VECNA **U***** 
> May 30 13:37:11 x.x.x.x:1121 -> y.y.y.y:80 SYN ******S* 
> May 30 13:37:58 x.x.x.x:1125 -> y.y.y.y:80 SYN ******S* 
> May 30 13:37:59 x.x.x.x:1126 -> y.y.y.y:80 SYN ******S* 
> May 30 13:38:10 x.x.x.x:1128 -> y.y.y.y:3144 SYN ******S* 
> May 30 13:39:09 x.x.x.x:1130 -> y.y.y.y:80 SYN ******S* 
> May 30 13:39:31 x.x.x.x:1131 -> y.y.y.y:80 SYN ******S* 
> May 30 13:39:51 x.x.x.x:1135 -> y.y.y.y:80 SYN ******S* 
> May 30 13:39:52 x.x.x.x:1137 -> y.y.y.y:80 SYN ******S* 




More information about the Snort-users mailing list