[Snort-users] Snort portscan false positives?

Felipe Alfaro Solana snort at ...7121...
Wed Oct 9 12:46:05 EDT 2002


Hi!

I'm net to Snort and IDS... I'm curious to know what's passing through
my ADSL router, so I installed SNORT on an old spare computer. I own a
3Com OfficeConnect 812 ADSL router... it's discontinued but works pretty
fine. It's an ADSL router and a 4-port hub, so I hooked up my old
computer to one of the ports of the router so I could analyze all the
traffic coming in/going out from/to the Internet.

I installed SNORT 1.9, grabbed and installed the latest set of
signatures. Since I installed SNORT, I'm seeing a lot of portscan
attempts to my main computer (IP address 192.168.0.100, the one I use to
write e-mails, surf the Web, etc).

For example, I have seen the following alert:

--- BEGIN ---
10/09-21:17:21.903879  [**] [117:1:1] (spp_portscan2) Portscan detected
from 62.6.161.75: 1 targets 21 ports in 24 seconds [**] {TCP}
62.6.161.75:80 -> 192.168.0.100:33395
--- END ---

and

--- SCAN.LOG ---
10/09-21:17:21.903879  TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80
dport: 33395 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
10/09-21:17:21.907279  TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80
dport: 33396 tgts: 1 ports: 22 flags: ***A**S* event_id: 51
10/09-21:17:21.910502  TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80
dport: 33397 tgts: 1 ports: 23 flags: ***A**S* event_id: 51
10/09-21:17:21.913687  TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80
dport: 33398 tgts: 1 ports: 24 flags: ***A**S* event_id: 51
10/09-21:17:21.917141  TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80
dport: 33399 tgts: 1 ports: 25 flags: ***A**S* event_id: 51
10/09-21:17:21.920222  TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80
dport: 33400 tgts: 1 ports: 26 flags: ***A**S* event_id: 51
10/09-21:17:21.925067  TCP src: 62.6.161.75 dst: 192.168.0.100 sport: 80
dport: 33401 tgts: 1 ports: 27 flags: ***A**S* event_id: 51
--- END ---

This is very, very curious. My router is using NAT and does not forward
traffic. So, how is it possible for an external host to reach ports on
my working machine? If I understand NAT correctly, when LAN host
contacts with an Internet host, an entry in the router is added to
correlate the LAN source IP and port with the Internet destination IP
and port, so, the Internet host can only communicate with (send packets
back to) me. So, it's virtually impossible for the Internet host to
access any ports other than the ones that are listed in the NAT table of
the router. Isn't it? So let's say LAN computer 10.0.0.1:39000 contacts
Internet host 62.0.0.1:80... The Internet host can only reach the LAN
computer at port 39000, as this is the only entry listed on the router
NAT table.

So, based on the previous information, it seems that my web browser is
connecting to an Internet host to download content (JPG, GIF, etc) very
very fast, using new connections and thus, with sequentially increasing
source ports. It seems that SNORT is taking this connections as a
portscan attempt, but I think this is my web browser opening and closing
HTTP connections against the web site very very fast. Also, since
Internet source port is always 80, this leads me to think it's simply a
lot of HTTP traffic coming and going between my Web browser and the Web
site.

Anybody can throw some light at this?
Thanks!

Best regards...




More information about the Snort-users mailing list