[Snort-users] Portscan 2 question

Joe Giles jgiles at ...6534...
Thu Oct 24 11:51:11 EDT 2002


Well, I do use AIM. I also have a Game server running on port 27016 and
27017. 

If this is normal TCP/UDP communication, I'm OK with that. I was just
concerned that someone hacked me and was using my machine as a proxy to
attack other machines(Or at least scan other machines). But I cant see
any evidence of that. I have checked the logs, bash_history of my few
users, and a neat tool called last. I also ran a root kit check. So, at
this point, I'm pretty sure that it is just normal traffic. Just threw
me off guard cause I have never seen this before in ACID...

Thanks

Joe



On Thu, 2002-10-24 at 12:38, Hicks, John wrote:
> Instance #2 is what I was assuming your issue to be. Instance #1 imho needs
> more correlation, but given UDP and the destination port being the same, i'd
> assume maybe IM?
> 
> John
> 
> -----Original Message-----
> From: Joe Giles [mailto:jgiles at ...6534...]
> Sent: Thursday, October 24, 2002 2:26 PM
> To: Soren Macbeth
> Cc: Snort-List
> Subject: RE: [Snort-users] Portscan 2 question
> 
> 
> Here is what I found in that scan.log file for the 2 dest IP's... 
> 
> Instance 1>
> 10/17-14:29:25.712618  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525
> 10/18-12:05:07.946026  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 1641 dport: 27160 tgts: 9 ports: 130 event_id: 400
> 10/18-13:22:24.504843  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 2804 dport: 27160 tgts: 8 ports: 121 event_id: 433
> 10/18-13:33:27.113376  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 3782 dport: 27160 tgts: 9 ports: 139 event_id: 450
> 10/18-13:36:00.675879  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 4825 dport: 27160 tgts: 10 ports: 158 event_id: 458
> 10/18-14:52:00.545930  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021
> 10/18-19:04:12.292185  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161
> 10/19-12:38:43.719170  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417
> 10/19-19:16:04.828533  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585
> 10/19-19:41:53.321697  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600
> 10/19-21:13:32.829862  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639
> 10/22-14:51:35.899289  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
> 33952 dport: 27160 tgts: 3 ports: 21 event_id: 0
> 
> Instance 2>
> 10/23-11:17:52.681476  TCP src: <INTERNALIP> dst: 206.65.183.110 sport:
> 1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0
> 
> What do you think?
> 
> Thanks
> 
> Joe
> 
> 
> On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
> > Looks at the ports that portscan2 reported. Sometime clients browsing
> > websites cause portscan2 to trigger based on the fact that some browsers
> > initiate a new connection (and thus, new port) for each image. If you
> > haven't change the config, there should be a scan.log file in your snort
> log
> > directory which will have more info.
> > 
> > //soren 
> > 
> > -----Original Message-----
> > From: Joe Giles [mailto:jgiles at ...6534...] 
> > Sent: Thursday, October 24, 2002 1:23 PM
> > To: Snort-List
> > Subject: [Snort-users] Portscan 2 question
> > 
> > I have a weird problem with 2 entries in my ACID database. Apparently,
> > my server did a port scan on a remote machine. The problem is that no
> > one here initiated a port scan. The database lists my server IP as the
> > source and lists a dest IP. This is listed as a spp_portscan2. Does the
> > new snort scan other machines on the Internet? I don't want any issues
> > with other services because they think I'm port scanning their network.
> > 
> > Thanks
> > 
> > Joe
> > 
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Influence the future 
> > of Java(TM) technology. Join the Java Community 
> > Process(SM) (JCP(SM)) program now. 
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Influence the future 
> > of Java(TM) technology. Join the Java Community 
> > Process(SM) (JCP(SM)) program now. 
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future 
> of Java(TM) technology. Join the Java Community 
> Process(SM) (JCP(SM)) program now. 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list