[Snort-users] Portscan 2 question

Joe Giles jgiles at ...6534...
Thu Oct 24 11:26:06 EDT 2002


Here is what I found in that scan.log file for the 2 dest IP's... 

Instance 1>
10/17-14:29:25.712618  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525
10/18-12:05:07.946026  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1641 dport: 27160 tgts: 9 ports: 130 event_id: 400
10/18-13:22:24.504843  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
2804 dport: 27160 tgts: 8 ports: 121 event_id: 433
10/18-13:33:27.113376  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
3782 dport: 27160 tgts: 9 ports: 139 event_id: 450
10/18-13:36:00.675879  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
4825 dport: 27160 tgts: 10 ports: 158 event_id: 458
10/18-14:52:00.545930  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021
10/18-19:04:12.292185  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161
10/19-12:38:43.719170  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417
10/19-19:16:04.828533  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585
10/19-19:41:53.321697  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600
10/19-21:13:32.829862  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639
10/22-14:51:35.899289  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
33952 dport: 27160 tgts: 3 ports: 21 event_id: 0

Instance 2>
10/23-11:17:52.681476  TCP src: <INTERNALIP> dst: 206.65.183.110 sport:
1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0

What do you think?

Thanks

Joe


On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
> Looks at the ports that portscan2 reported. Sometime clients browsing
> websites cause portscan2 to trigger based on the fact that some browsers
> initiate a new connection (and thus, new port) for each image. If you
> haven't change the config, there should be a scan.log file in your snort log
> directory which will have more info.
> 
> //soren 
> 
> -----Original Message-----
> From: Joe Giles [mailto:jgiles at ...6534...] 
> Sent: Thursday, October 24, 2002 1:23 PM
> To: Snort-List
> Subject: [Snort-users] Portscan 2 question
> 
> I have a weird problem with 2 entries in my ACID database. Apparently,
> my server did a port scan on a remote machine. The problem is that no
> one here initiated a port scan. The database lists my server IP as the
> source and lists a dest IP. This is listed as a spp_portscan2. Does the
> new snort scan other machines on the Internet? I don't want any issues
> with other services because they think I'm port scanning their network.
> 
> Thanks
> 
> Joe
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future 
> of Java(TM) technology. Join the Java Community 
> Process(SM) (JCP(SM)) program now. 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future 
> of Java(TM) technology. Join the Java Community 
> Process(SM) (JCP(SM)) program now. 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list