[Snort-users] RV: portscan

Hugo Ferr snortgrp at ...125...
Fri May 31 12:06:26 EDT 2002


SYN and VECNA entries.....I've seen them a lot when I was doing Nessus scans
from inside my network to outside.
Do you have Nessus running on your network?
----- Original Message -----
From: "Petriz, Pablo" <ppetriz at ...3815...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, May 31, 2002 2:04 PM
Subject: [Snort-users] RV: portscan


> Please. Can someone answer this?
> Tell me if you need more info.
> TIA
>
> PABLO
>
> > -----Mensaje original-----
> > De: Petriz, Pablo
> > Enviado el: jueves 30 de mayo de 2002 04:40
> > Para: 'snort-users at lists.sourceforge.net'
> > Asunto: portscan
> >
> >
> > Hello list!
> > My Snort 1.8.6 (RH 7.2)is monitoring a DMZ between 2 private networks.
> > At DMZ we have Apache + SCO Tarantella and a MS Terminal Server
> > to share an application. I have various connections working well
> > and today we were bringing up a new connection when Snort detects
> > a portscan from the PC (Win98) we were working. The bring up job
> > consists on pointing the browser to the site at the DMZ and then login
> > to Tarantella, so what can be the cause of the portscan from that PC?
> > portscan.log shows entries to port 80 (apache)and 3144 (tarantella)
> > Here are the alert and portscan.log files.
> > Thank you!!!
> >
> > PABLO
> >
> > alert
> > =====
> > [**] [100:1:1]  <eth1> spp_portscan: PORTSCAN DETECTED on
> > eth1 to port 80 from x.x.x.x (STEALTH) [**]
> > 05/30-13:21:40.010817
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> > 05/30-13:22:41.428323
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:22:47.311326
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> > 05/30-13:25:19.802265
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**]
> > 05/30-13:29:04.070375
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:30:36.666846
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:30:40.024516
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> > 05/30-13:30:44.383457
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:34:34.340470
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:35:06.263163
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:35:16.842867
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:35:35.662691
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**]
> > 05/30-13:37:11.728234
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:37:58.647353
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 2 connections across 1 hosts: TCP(2), UDP(0) [**]
> > 05/30-13:38:10.834317
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:39:09.880222
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:39:31.116911
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:39:51.451081
> > [**] [100:2:1]  <eth1> spp_portscan: portscan status from
> > x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> > 05/30-13:44:02.704023
> > [**] [100:3:1]  <eth1> spp_portscan: End of portscan from
> > x.x.x.x: TOTAL time(1093s) hosts(1) TCP(24) UDP(0) STEALTH [**]
> > 05/30-13:44:07.835669
> >
> > portscan.log
> > ============
> > May 30 13:22:41 x.x.x.x:1099 -> y.y.y.y:80 SYN ******S*
> > May 30 13:21:39 x.x.x.x:1097 -> y.y.y.y:80 VECNA 1***P**F
> > May 30 13:22:47 x.x.x.x:1100 -> y.y.y.y:3144 SYN ******S*
> > May 30 13:25:19 x.x.x.x:1102 -> y.y.y.y:80 SYN ******S*
> > May 30 13:22:49 x.x.x.x:1101 -> y.y.y.y:80 NOACK *****RSF
> > May 30 13:25:20 x.x.x.x:1103 -> y.y.y.y:3144 SYN ******S*
> > May 30 13:29:04 x.x.x.x:1104 -> y.y.y.y:80 SYN ******S*
> > May 30 13:30:36 x.x.x.x:1106 -> y.y.y.y:80 SYN ******S*
> > May 30 13:30:40 x.x.x.x:1107 -> y.y.y.y:80 SYN ******S*
> > May 30 13:30:44 x.x.x.x:1106 -> y.y.y.y:80 NOACK ****P*S*
> > May 30 13:30:43 x.x.x.x:1107 -> y.y.y.y:80 VECNA 12U*****
> > May 30 13:34:34 x.x.x.x:1112 -> y.y.y.y:80 SYN ******S*
> > May 30 13:35:06 x.x.x.x:1115 -> y.y.y.y:80 SYN ******S*
> > May 30 13:35:16 x.x.x.x:1116 -> y.y.y.y:80 SYN ******S*
> > May 30 13:35:35 x.x.x.x:1118 -> y.y.y.y:3144 SYN ******S*
> > May 30 13:35:36 x.x.x.x:1116 -> y.y.y.y:80 VECNA **U*****
> > May 30 13:37:11 x.x.x.x:1121 -> y.y.y.y:80 SYN ******S*
> > May 30 13:37:58 x.x.x.x:1125 -> y.y.y.y:80 SYN ******S*
> > May 30 13:37:59 x.x.x.x:1126 -> y.y.y.y:80 SYN ******S*
> > May 30 13:38:10 x.x.x.x:1128 -> y.y.y.y:3144 SYN ******S*
> > May 30 13:39:09 x.x.x.x:1130 -> y.y.y.y:80 SYN ******S*
> > May 30 13:39:31 x.x.x.x:1131 -> y.y.y.y:80 SYN ******S*
> > May 30 13:39:51 x.x.x.x:1135 -> y.y.y.y:80 SYN ******S*
> > May 30 13:39:52 x.x.x.x:1137 -> y.y.y.y:80 SYN ******S*
>
> _______________________________________________________________
>
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list