[Snort-users] Re: Snort-users digest, Vol 1 #2427 - 1 msg

Mike Cole Mike.Cole at ...7283...
Thu Oct 24 13:43:10 EDT 2002


I'm out of the office until Monday the 28th.  If this is a pressing matter, please call me @ 209.569.3910 and I'll do my best to get back to you.

Mike

>>> snort-users 10/24/02 13:33 >>>

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort-users digest, Vol 1 #2425 - 1 msg (Mike Cole)

--__--__--

Message: 1
Date: Thu, 24 Oct 2002 13:36:46 -0700
From: "Mike Cole" <Mike.Cole at ...7283...>
Reply-To: Mike.Cole at ...7283...
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2425 - 1 msg

I'm out of the office until Monday the 28th.  If this is a pressing =
matter, please call me @ 209.569.3910 and I'll do my best to get back to =
you.

Mike

>>> snort-users 10/24/02 13:24 >>>

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort-users digest, Vol 1 #2422 - 1 msg (Mike Cole)

-- __--__-- 

Message: 1
Date: Thu, 24 Oct 2002 13:27:34 -0700
From: "Mike Cole" <Mike.Cole at ...7283...>
Reply-To: Mike.Cole at ...7283...
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2422 - 1 msg

I'm out of the office until Monday the 28th.  If this is a pressing =3D
matter, please call me @ 209.569.3910 and I'll do my best to get back to =
=3D
you.

Mike

>>> snort-users 10/24/02 13:14 >>>

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort-users digest, Vol 1 #2420 - 2 msgs (Mike Cole)

--  __--__-- =20

Message: 1
Date: Thu, 24 Oct 2002 13:17:51 -0700
From: "Mike Cole" <Mike.Cole at ...7283...>
Reply-To: Mike.Cole at ...7283...
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2420 - 2 msgs

I'm out of the office until Monday the 28th.  If this is a pressing =3D3D
matter, please call me @ 209.569.3910 and I'll do my best to get back to =
=3D
=3D3D
you.

Mike

>>> snort-users 10/24/02 13:05 >>>

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Snort Center - File size limit exceeded (Andy Stein)
   2. Re: Snort-users digest, Vol 1 #2418 - 1 msg (Mike Cole)

--   __--__--  =3D20

Message: 1
Date: Thu, 24 Oct 2002 16:02:40 -0400 (EDT)
From: "Andy Stein" <andy at ...7154...>
To: <snort-users at lists.sourceforge.net>
Reply-To: andy at ...7154...
Subject: [Snort-users] Snort Center - File size limit exceeded

I have a sensor that after I push the configuration to the sensor, the
sensor will not start.

Running this command
[root at ...7303... snort]#snort -U -o -c /etc/snort/snort.eth0.conf

<snip>
1033 Snort rules read...
1033 Option Chains linked into 153 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->pass->activation->dynamic->alert->log

        --=3D3D3D=3D3D3D Initialization Complete =3D3D3D=3D3D3D--

-*> Snort! <*-
Version 1.9.0 (Build 209)
By Martin Roesch (roesch at ...1935..., www.snort.org)
File size limit exceeded

What file size limit have I exceeded?

Thanks!
Andy




--   __--__--  =3D20

Message: 2
Date: Thu, 24 Oct 2002 13:08:24 -0700
From: "Mike Cole" <Mike.Cole at ...7283...>
Reply-To: Mike.Cole at ...7283...
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2418 - 1 msg

I'm out of the office until Monday the 28th.  If this is a pressing =
=3D3D3D
matter, please call me @ 209.569.3910 and I'll do my best to get back to =
=3D
=3D3D
=3D3D3D
you.

Mike

>>> snort-users 10/24/02 12:47 >>>

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Re: Snort-users digest, Vol 1 #2416 - 2 msgs (Mike Cole)

--    __--__--   =3D3D20

Message: 1
Date: Thu, 24 Oct 2002 12:50:44 -0700
From: "Mike Cole" <Mike.Cole at ...7283...>
Reply-To: Mike.Cole at ...7283...
To: <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2416 - 2 msgs

I'm out of the office until Monday the 28th.  If this is a pressing =3D
=3D3D3D3D
matter, please call me @ 209.569.3910 and I'll do my best to get back to =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
you.

Mike

>>> snort-users 10/24/02 12:39 >>>

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. RE: Portscan 2 question (Brian F. Vaughan)
   2. RE: Re: Snort-users digest, Vol 1 #2413 - 1 msg (darnell.poulin at ...7306...05...=
=3D
=3D3D
=3D3D3D
=3D3D3D3D
a)

--     __--__--    =3D3D3D20

Message: 1
Subject: RE: [Snort-users] Portscan 2 question
Date: Thu, 24 Oct 2002 15:33:15 -0400
From: "Brian F. Vaughan" <bvaughan at ...6569...>
To: "Soren Macbeth" <smacbeth at ...7281...>,
	"Joe Giles" <jgiles at ...6534...>
Cc: "Snort-List" <snort-users at lists.sourceforge.net>

Have you performed an nslookup on the dst ip. It is an ISP that may have =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D
a user hosting a game server or something as it is going to a =3D3D3D3D3D
high-numbered UDP port. Should also check the internal machine that is =3D
=3D3D3D
=3D3D3D3D3D
the src to make sure there isn't a virus or some backdoor program =3D
=3D3D3D3D3D
sending info back to the dst ip.

Brian Vaughan
IT Administrator



-----Original Message-----
From: Soren Macbeth [mailto:smacbeth at ...7281...]
Sent: Thursday, October 24, 2002 2:33 PM
To: 'Joe Giles'; Soren Macbeth
Cc: Snort-List
Subject: RE: [Snort-users] Portscan 2 question


I'm not sure about the udp dport 27160 stuff. Are you running some
application on that port? Its all traffic to on particular host. You may
want to check into that.

The second one is definitely benign web browsing.

//soren


-----Original Message-----
From: Joe Giles [mailto:jgiles at ...6534...]=3D3D3D3D3D20
Sent: Thursday, October 24, 2002 2:26 PM
To: Soren Macbeth
Cc: Snort-List
Subject: RE: [Snort-users] Portscan 2 question

Here is what I found in that scan.log file for the 2 dest IP's...=3D3D3D3D3=
D2=3D
0

Instance 1>
10/17-14:29:25.712618  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525
10/18-12:05:07.946026  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1641 dport: 27160 tgts: 9 ports: 130 event_id: 400
10/18-13:22:24.504843  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
2804 dport: 27160 tgts: 8 ports: 121 event_id: 433
10/18-13:33:27.113376  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
3782 dport: 27160 tgts: 9 ports: 139 event_id: 450
10/18-13:36:00.675879  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
4825 dport: 27160 tgts: 10 ports: 158 event_id: 458
10/18-14:52:00.545930  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021
10/18-19:04:12.292185  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161
10/19-12:38:43.719170  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417
10/19-19:16:04.828533  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585
10/19-19:41:53.321697  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600
10/19-21:13:32.829862  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639
10/22-14:51:35.899289  UDP src: <INTERNALIP> dst: 207.19.97.119 sport:
33952 dport: 27160 tgts: 3 ports: 21 event_id: 0

Instance 2>
10/23-11:17:52.681476  TCP src: <INTERNALIP> dst: 206.65.183.110 sport:
1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0

What do you think?

Thanks

Joe


On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
> Looks at the ports that portscan2 reported. Sometime clients browsing
> websites cause portscan2 to trigger based on the fact that some =3D
=3D3D3D3D3D
browsers
> initiate a new connection (and thus, new port) for each image. If you
> haven't change the config, there should be a scan.log file in your =3D3D
=3D3D3D3D3D
snort
log
> directory which will have more info.
>=3D3D3D3D3D20
> //soren=3D3D3D3D3D20
>=3D3D3D3D3D20
> -----Original Message-----
> From: Joe Giles [mailto:jgiles at ...6534...]=3D3D3D3D3D20
> Sent: Thursday, October 24, 2002 1:23 PM
> To: Snort-List
> Subject: [Snort-users] Portscan 2 question
>=3D3D3D3D3D20
> I have a weird problem with 2 entries in my ACID database. Apparently,
> my server did a port scan on a remote machine. The problem is that no
> one here initiated a port scan. The database lists my server IP as the
> source and lists a dest IP. This is listed as a spp_portscan2. Does =3D
=3D3D3D
=3D3D3D3D3D
the
> new snort scan other machines on the Internet? I don't want any issues
> with other services because they think I'm port scanning their =3D3D3D3D3=
D
network.
>=3D3D3D3D3D20
> Thanks
>=3D3D3D3D3D20
> Joe
>=3D3D3D3D3D20
>=3D3D3D3D3D20
>=3D3D3D3D3D20
>=3D3D3D3D3D20
>=3D3D3D3D3D20
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future=3D3D3D3D3D20
> of Java(TM) technology. Join the Java Community=3D3D3D3D3D20
> Process(SM) (JCP(SM)) program now.=3D3D3D3D3D20
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3D3D3D3D3D3Dsnort-users
>=3D3D3D3D3D20
>=3D3D3D3D3D20
> -------------------------------------------------------
> This sf.net email is sponsored by: Influence the future=3D3D3D3D3D20
> of Java(TM) technology. Join the Java Community=3D3D3D3D3D20
> Process(SM) (JCP(SM)) program now.=3D3D3D3D3D20
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=3D3D3D3D3D3Dsnort-users



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future=3D3D3D3D3D20
of Java(TM) technology. Join the Java Community=3D3D3D3D3D20
Process(SM) (JCP(SM)) program now.=3D3D3D3D3D20
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=3D3D3D3D3D3Dsnort-users


--     __--__--    =3D3D3D20

Message: 2
From: darnell.poulin at ...7285...
Date:  Thu, 24 Oct 2002 15:39:08 -0400
To: Mike.Cole at ...7283..., snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Re: Snort-users digest, Vol 1 #2413 - 1 msg

OK, I think it's about time to temporarily take this gent off of the =3D
=3D3D3D3D
list=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E

-----Original Message-----
From: Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg=3D3D3D3D3D20=3D3D3D3D3D
Sent: Thursday, October 24, 2002 3:30 PM
To: snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2413 - 1 msg


I'm out of the office until Monday the 28th=3D3D3D3D3D2E  If this is a =
=3D3D
pressing =3D3D3D
=3D3D3D3D
matter,=3D3D3D3D3D20=3D3D3D3D3D
please call me @ 209=3D3D3D3D3D2E569=3D3D3D3D3D2E3910 and I'll do my best =
to =3D
get =3D3D
back =3D3D3D
to =3D3D3D3D
you=3D3D3D3D3D2E

Mike

>>> snort-users 10/24/02 12:16 >>>

Send Snort-users mailing list submissions to
	snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinf=
o/sn=3D
ort-=3D3D
user=3D3D3D
s
or, via email, send a message with subject or body 'help' to
	snort-users-request at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

You can reach the person managing the list at
	snort-users-admin at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D=
3D2E"


Today's Topics:

   1=3D3D3D3D3D2E Re: Snort-users digest, Vol 1 #2412 - 1 msg (Mike Cole)

--      __--__--     =3D3D3D3D20

Message: 1
Date: Thu, 24 Oct 2002 12:20:02 -0700
From: "Mike Cole" <Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg>
Reply-To: Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg
To: <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2412 - 1 msg

I'm out of the office until Monday the 28th=3D3D3D3D3D2E  If this is a =
=3D3D
pressing =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
matter, please call me @ 209=3D3D3D3D3D2E569=3D3D3D3D3D2E3910 and I'll do =
my =3D
best =3D3D
to =3D3D3D
get =3D3D3D3D
back to =3D3D3D3D3D3D
you=3D3D3D3D3D2E

Mike

>>> snort-users 10/24/02 12:09 >>>

Send Snort-users mailing list submissions to
	snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinf=
o/sn=3D
ort-=3D3D
user=3D3D3D
s
or, via email, send a message with subject or body 'help' to
	snort-users-request at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

You can reach the person managing the list at
	snort-users-admin at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D=
3D2E"


Today's Topics:

   1=3D3D3D3D3D2E Re: Snort-users digest, Vol 1 #2411 - 4 msgs (Mike Cole)

--       __--__--       Message: 1
Date: Thu, 24 Oct 2002 12:12:53 -0700
From: "Mike Cole" <Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg>
Reply-To: Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg
To: <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2411 - 4 msgs

I'm out of the office until Monday the 28th=3D3D3D3D3D2E  If this is a =
=3D3D
pressing =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D
matter, please call me @ 209=3D3D3D3D3D2E569=3D3D3D3D3D2E3910 and I'll do =
my =3D
best =3D3D
to =3D3D3D
get =3D3D3D3D
back to =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
you=3D3D3D3D3D2E

Mike

>>> snort-users 10/24/02 12:02 >>>

Send Snort-users mailing list submissions to
	snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinf=
o/sn=3D
ort-=3D3D
user=3D3D3D
s
or, via email, send a message with subject or body 'help' to
	snort-users-request at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

You can reach the person managing the list at
	snort-users-admin at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D=
3D2E"


Today's Topics:

   1=3D3D3D3D3D2E RE: Portscan 2 question (Joe Giles)
   2=3D3D3D3D3D2E Is this a valid rule? (Lefevre, Steven)
   3=3D3D3D3D3D2E Re: dual inteface? (Phil Wood)
   4=3D3D3D3D3D2E Re: Snort-users digest, Vol 1 #2410 - 3 msgs (Mike Cole)

--        __--__--       =3D3D3D3D3D3D20

Message: 1
Subject: RE: [Snort-users] Portscan 2 question
From: Joe Giles <jgiles at ...7288...=3D3D3D3D3D2Ecom>
To: "Hicks, John" <JHicks at ...7289...=3D3D3D3D3D2EGC=3D3D3D3D3D2ECA>
Cc: Snort-List <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Date: 24 Oct 2002 12:51:31 -0600

Well, I do use AIM=3D3D3D3D3D2E I also have a Game server running on port =
=3D
=3D3D
27016 =3D3D3D
=3D3D3D3D
and
27017=3D3D3D3D3D2E=3D3D3D3D3D3D3D20

If this is normal TCP/UDP communication, I'm OK with that=3D3D3D3D3D2E I =
was =3D
=3D3D
=3D3D3D
just
concerned that someone hacked me and was using my machine as a proxy to
attack other machines(Or at least scan other machines)=3D3D3D3D3D2E But I =
=3D
cant =3D3D
=3D3D3D
see
any evidence of that=3D3D3D3D3D2E I have checked the logs, bash_history of =
=3D
my =3D3D
=3D3D3D
few
users, and a neat tool called last=3D3D3D3D3D2E I also ran a root kit =
=3D3D
check=3D3D3D3D3D2=3D3D3D
E =3D3D3D3D
So, at
this point, I'm pretty sure that it is just normal traffic=3D3D3D3D3D2E =
Just =3D
=3D3D
=3D3D3D
threw
me off guard cause I have never seen this before in ACID=3D3D3D3D3D2E=3D3D3=
D3D3=3D
D2E=3D3D
=3D3D3D3D3D=3D3D3D
2E

Thanks

Joe



On Thu, 2002-10-24 at 12:38, Hicks, John wrote:
> Instance #2 is what I was assuming your issue to be=3D3D3D3D3D2E =
Instance =3D
#1 =3D3D
=3D3D3D
=3D3D3D3D
imho =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
needs
> more correlation, but given UDP and the destination port being the same, =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
i'd
> assume maybe IM?
>=3D3D3D3D3D3D3D20
> John
>=3D3D3D3D3D3D3D20
> -----Original Message-----
> From: Joe Giles [mailto:jgiles at ...7288...=3D3D3D3D3D2Ecom]
> Sent: Thursday, October 24, 2002 2:26 PM
> To: Soren Macbeth
> Cc: Snort-List
> Subject: RE: [Snort-users] Portscan 2 question
>=3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D20
> Here is what I found in that scan=3D3D3D3D3D2Elog file for the 2 dest =
=3D
=3D3D3D3D
IP's=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D3D3D2=3D3D3D3D3D
0
>=3D3D3D3D3D3D3D20
> Instance 1>
> 10/17-14:29:25=3D3D3D3D3D2E712618  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525
> 10/18-12:05:07=3D3D3D3D3D2E946026  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 1641 dport: 27160 tgts: 9 ports: 130 event_id: 400
> 10/18-13:22:24=3D3D3D3D3D2E504843  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 2804 dport: 27160 tgts: 8 ports: 121 event_id: 433
> 10/18-13:33:27=3D3D3D3D3D2E113376  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 3782 dport: 27160 tgts: 9 ports: 139 event_id: 450
> 10/18-13:36:00=3D3D3D3D3D2E675879  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 4825 dport: 27160 tgts: 10 ports: 158 event_id: 458
> 10/18-14:52:00=3D3D3D3D3D2E545930  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021
> 10/18-19:04:12=3D3D3D3D3D2E292185  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161
> 10/19-12:38:43=3D3D3D3D3D2E719170  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417
> 10/19-19:16:04=3D3D3D3D3D2E828533  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585
> 10/19-19:41:53=3D3D3D3D3D2E321697  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600
> 10/19-21:13:32=3D3D3D3D3D2E829862  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639
> 10/22-14:51:35=3D3D3D3D3D2E899289  UDP src: <INTERNALIP> dst: 207=3D3D3D3=
D3D2=3D
E19=3D3D
=3D3D3D3D3D=3D3D3D
2E97=3D3D3D3D
=3D3D3D3D3D2E119 sport:
> 33952 dport: 27160 tgts: 3 ports: 21 event_id: 0
>=3D3D3D3D3D3D3D20
> Instance 2>
> 10/23-11:17:52=3D3D3D3D3D2E681476  TCP src: <INTERNALIP> dst: 206=3D3D3D3=
D3D2=3D
E65=3D3D
=3D3D3D3D3D=3D3D3D
2E183=3D3D3D3D
=3D3D3D3D3D2E110 sport:
> 1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0
>=3D3D3D3D3D3D3D20
> What do you think?
>=3D3D3D3D3D3D3D20
> Thanks
>=3D3D3D3D3D3D3D20
> Joe
>=3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D20
> On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
> > Looks at the ports that portscan2 reported=3D3D3D3D3D2E Sometime =
clients =3D
=3D3D
=3D3D3D3D
browsing
> > websites cause portscan2 to trigger based on the fact that some =3D
=3D3D3D3D
=3D3D3D3D3D3D3D
browsers
> > initiate a new connection (and thus, new port) for each image=3D3D3D3D3=
D2=3D
E =3D3D
=3D3D3D
If =3D3D3D3D
you
> > haven't change the config, there should be a scan=3D3D3D3D3D2Elog file =
=3D
in =3D3D
=3D3D3D
your =3D3D3D3D
=3D3D3D3D3D3D3D
snort
> log
> > directory which will have more info=3D3D3D3D3D2E
> >=3D3D3D3D3D3D3D20
> > //soren=3D3D3D3D3D3D3D20
> >=3D3D3D3D3D3D3D20
> > -----Original Message-----
> > From: Joe Giles [mailto:jgiles at ...7288...=3D3D3D3D3D2Ecom]=3D3D3D3D3D3D3D2=
0
> > Sent: Thursday, October 24, 2002 1:23 PM
> > To: Snort-List
> > Subject: [Snort-users] Portscan 2 question
> >=3D3D3D3D3D3D3D20
> > I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D
=3D3D
=3D3D3D3D
Apparently,
> > my server did a port scan on a remote machine=3D3D3D3D3D2E The problem =
=3D
is =3D3D
=3D3D3D
that =3D3D3D3D
no
> > one here initiated a port scan=3D3D3D3D3D2E The database lists my =
server =3D
=3D3D
IP =3D3D3D
as =3D3D3D3D
the
> > source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portsca=
n2=3D
=3D3D
=3D3D3D3D3=3D3D3D
D2E =3D3D3D3D
Does =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
the
> > new snort scan other machines on the Internet? I don't want any issues
> > with other services because they think I'm port scanning their =3D3D3D
=3D3D3D3D3D3D3D
network=3D3D3D3D3D2E
> >=3D3D3D3D3D3D3D20
> > Thanks
> >=3D3D3D3D3D3D3D20
> > Joe
> >=3D3D3D3D3D3D3D20
> >=3D3D3D3D3D3D3D20
> >=3D3D3D3D3D3D3D20
> >=3D3D3D3D3D3D3D20
> >=3D3D3D3D3D3D3D20
> > -------------------------------------------------------
> > This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3=
D3D3=3D
D3D3=3D3D
D3D2=3D3D3D
0
> > of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3=
D3D2=3D
0
> > Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D20
> > http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3=
D3D3D3=3D
D2Epl?=3D3D
sunm00=3D3D3D
03en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> > Go to this URL to change user options or unsubscribe:
> > https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/sn=
ort-=3D
user=3D3D
s
> > Snort-users list archive:
> > http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2E=
php3?l=3D
ist=3D3D3D=3D3D
3D3D3D3D=3D3D3D
3Dsnort-=3D3D3D3D
users
> >=3D3D3D3D3D3D3D20
> >=3D3D3D3D3D3D3D20
> > -------------------------------------------------------
> > This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3=
D3D3=3D
D3D3=3D3D
D3D2=3D3D3D
0
> > of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3=
D3D2=3D
0
> > Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D20
> > http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3=
D3D3D3=3D
D2Epl?=3D3D
sunm00=3D3D3D
03en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> > Go to this URL to change user options or unsubscribe:
> > https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/sn=
ort-=3D
user=3D3D
s
> > Snort-users list archive:
> > http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2E=
php3?l=3D
ist=3D3D3D=3D3D
3D3D3D3D=3D3D3D
3Dsnort-=3D3D3D3D
users
>=3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D20
> -------------------------------------------------------
> This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3=
D3D3=3D
D3D3=3D3D
D20
> of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3=
D20
> Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D20
> http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3=
D3D3D2=3D
Epl?su=3D3D
nm0003=3D3D3D
en
> _______________________________________________
> Snort-users mailing list
> Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> Go to this URL to change user options or unsubscribe:
> https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snor=
t-us=3D
ers
> Snort-users list archive:
> http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Eph=
p3?lis=3D
t=3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
snort-us=3D3D3D3D
ers




--        __--__--       =3D3D3D3D3D3D20

Message: 2
From: SLefevre at ...7290...=3D3D3D3D3D2Ecom (Lefevre, Steven)
To: "Snort-List" <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet=
>
Date: Thu, 24 Oct 2002 14:52:24 -0400
Subject: [Snort-users] Is this a valid rule?

I have this rule in my local rule file:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6008:6009 (msg:"IRC Activity")

(It's to detect IRC traffic ;)

Why does snort always choke on it? I've looked it over 100 times and it
seems to follow the syntax=3D3D3D3D3D2E



--        __--__--       =3D3D3D3D3D3D20

Message: 3
From: Phil Wood <cpw at ...7291...=3D3D3D3D3D2Egov>
Date: Thu, 24 Oct 2002 13:00:30 -0600
To: Daniel Curry <dcurry at ...7292...=3D3D3D3D3D2Ecom>
Cc: snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Subject: Re: [Snort-users] dual inteface?

If you have an os and pcap that supports the "any" interface, then you =
=3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D
could:

  snort =3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E -i any =3D3D3D3D3D2E=3D3D3D=
3D3D2E=3D3D3=3D
D3D3D2E

This may not be what you want since you get all the interfaces on your =
=3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D
box=3D3D3D3D3D2E

I found that it did not appear to work with shared libraries (but
that might be due to some funny stuff on my end)=3D3D3D3D3D2E  So, I built =
a
static snort=3D3D3D3D3D2E  (add -static to LDFLAGS and reload, might need =
=3D
-lz =3D3D
at
tail end of load line)=3D3D3D3D3D2E

On Thu, Oct 24, 2002 at 08:28:04AM -0700, Daniel Curry wrote:
>  I had lost the email that gave information
> on how to configure snort to see two, eth2 and eth3,
> promicus interfaces on a redhat 7=3D3D3D3D3D2E2 system?
>  I did not see the information in http://sourceforge=3D3D3D3D3D2Enet/mail=
ar=3D
ch=3D3D
iv=3D3D3D
e=3D3D3D3D
=3D3D3D3D3D2E
> Thank you=3D3D3D3D3D2E
> =3D3D3D3D3D3D3D20
> --=3D3D3D3D3D3D3D20
> Daniel Curry
> DIRECT 650-232-4006
> FAX 650-232-3200
> PGP AD5A 96DC 7556 A020 B8E7  0E4D 5D5E 9BA5 C83E 8C92
>=3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D20
> -------------------------------------------------------
> This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3=
D3D3=3D
D3D3=3D3D
D20
> of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3=
D20
> Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D20
> http://ad=3D3D3D3D3D2Edoubleclick=3D3D3D3D3D2Enet/clk;4729346;7592162;s?h=
ttp:=3D
//ww=3D3D
w=3D3D3D3D=3D3D3D
3D2Esu=3D3D3D3D
n=3D3D3D3D3D2Ecom/java=3D3D3D3D3D
vo=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
te
> _______________________________________________
> Snort-users mailing list
> Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> Go to this URL to change user options or unsubscribe:
> https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snor=
t-us=3D
ers
> Snort-users list archive:
> http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Eph=
p3?lis=3D
t=3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
snort-us=3D3D3D3D
ers

--=3D3D3D3D3D3D3D20
Phil Wood, cpw at ...7291...=3D3D3D3D3D2Egov



--        __--__--       =3D3D3D3D3D3D20

Message: 4
Date: Thu, 24 Oct 2002 12:05:10 -0700
From: "Mike Cole" <Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg>
Reply-To: Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg
To: <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2410 - 3 msgs

I'm out of the office until Monday the 28th=3D3D3D3D3D2E  If this is a =
=3D3D
pressing =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
matter, please call me @ 209=3D3D3D3D3D2E569=3D3D3D3D3D2E3910 and I'll do =
my =3D
best =3D3D
to =3D3D3D
get =3D3D3D3D
back to =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
you=3D3D3D3D3D2E

Mike

>>> snort-users 10/24/02 11:51 >>>

Send Snort-users mailing list submissions to
	snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinf=
o/sn=3D
ort-=3D3D
user=3D3D3D
s
or, via email, send a message with subject or body 'help' to
	snort-users-request at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

You can reach the person managing the list at
	snort-users-admin at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D=
3D2E"


Today's Topics:

   1=3D3D3D3D3D2E RE: Portscan 2 question (Hicks, John)
   2=3D3D3D3D3D2E Snort 1=3D3D3D3D3D2E9=3D3D3D3D3D2E0 on Windows and MSSQL =
=3D
(Robbins, =3D3D
Mark)
   3=3D3D3D3D3D2E Re: Snort-users digest, Vol 1 #2409 - 1 msg (Mike Cole)

--         __--__--        =3D3D3D3D3D3D3D20

Message: 1
From: "Hicks, John" <JHicks at ...7289...=3D3D3D3D3D2EGC=3D3D3D3D3D2ECA>
To: 'Joe Giles' <jgiles at ...7288...=3D3D3D3D3D2Ecom>
Cc: "Snort Users (E-mail)" <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3=
D3D3=3D
D2En=3D3D
et>
Subject: RE: [Snort-users] Portscan 2 question
Date: Thu, 24 Oct 2002 14:33:24 -0400

it's 'last' and again, *any* service allowing ephemeral ports may cause =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
this
not just DNS=3D3D3D3D3D2E

cheers,
John

-----Original Message-----
From: Joe Giles [mailto:jgiles at ...7288...=3D3D3D3D3D2Ecom]
Sent: Thursday, October 24, 2002 2:13 PM
To: Robby Desmond
Cc: Snort-List
Subject: Re: [Snort-users] Portscan 2 question


Well, I'm not RUNNING a DNS server, but I use one=3D3D3D3D3D2E My ISP's =
=3D
=3D3D3D
DNS=3D3D3D3D3D2E=3D3D3D3D3D=3D3D3D3D
2E=3D3D3D3D3D2E
Should I add that to the list?=3D3D3D3D3D3D3D3D20

Also, I don't seem to have the 'lasts' command=3D3D3D3D3D2E What package =
is =3D
=3D3D
that
part of?

Thanks for the reply

Joe

On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
> At 11:22 AM 10/24/02 -0600, you wrote:
> >I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D
=3D3D
=3D3D3D3D
Apparently,
> >my server did a port scan on a remote machine=3D3D3D3D3D2E The problem =
is =3D
=3D3D
=3D3D3D
that =3D3D3D3D
no
> >one here initiated a port scan=3D3D3D3D3D2E The database lists my =
server =3D
IP =3D3D
=3D3D3D
as =3D3D3D3D
the
> >source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portscan=
2=3D
=3D3D3D=3D3D
3D3D=3D3D3D
2E =3D3D3D3D
Does the
> >new snort scan other machines on the Internet? I don't want any issues
> >with other services because they think I'm port scanning their =
=3D3D3D3D
network=3D3D3D3D3D2E
> >
> >Thanks
> >
> >Joe
>=3D3D3D3D3D3D3D3D20
> Are you, by chance, running DNS?
>=3D3D3D3D3D3D3D3D20
> You should add your DNS servers to the list of portscan2-ignorehosts,=3D3=
D3=3D
D3=3D3D
D3=3D3D3D
D3=3D3D3D3D
D3D3=3D3D3D3D3D3D
D2=3D3D3D3D3D3D3D
0
> otherwise you will get this sort of activity=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D20
> If you are not running DNS, then check the "lasts" command to see who =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
has=3D3D3D3D3D3D3D3D20
> been on your system=3D3D3D3D3D2E (Or who has been appearing as someone =
on =3D
=3D3D
your
system=3D3D3D3D3D2E)
>=3D3D3D3D3D3D3D3D20
> -Robby
>=3D3D3D3D3D3D3D3D20
> Robert Desmond
> Systems Administrator
> UCSB Extended Learning Services
> 805-893-4906




-------------------------------------------------------
This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3D3=
D3D3=3D
D3D3=3D3D
D20
of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3D3=
D20
Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D20
http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3D3=
D3D2Ep=3D
l?sunm=3D3D
0003en=3D3D3D

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Go to this URL to change user options or unsubscribe:
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s
Snort-users list archive:
http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Ephp3=
?list=3D
=3D3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
snort-us=3D3D3D3D
ers


--         __--__--        =3D3D3D3D3D3D3D20

Message: 2
From: "Robbins, Mark" <MRobbins at ...1256...=3D3D3D3D3D2Eedu>
To: snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Date: Thu, 24 Oct 2002 13:43:46 -0500
Subject: [Snort-users] Snort 1=3D3D3D3D3D2E9=3D3D3D3D3D2E0 on Windows and =
=3D
MSSQL

This message is in MIME format=3D3D3D3D3D2E Since your mail reader does =
not =3D
=3D3D
=3D3D3D3D
understand
this format, some or all of this message may not be legible=3D3D3D3D3D2E

------_=3D3D3D3D3D3D3D3D3D_NextPart_001_01C27B8D=3D3D3D3D3D2E48E86470
Content-Type: text/plain

Has anyone gotten Snort 1=3D3D3D3D3D2E9=3D3D3D3D3D2E0 to log to an MSSQL =
=3D
database =3D3D
with =3D3D3D
the =3D3D3D3D
=3D3D3D3D3D3D3D3D
available
(compiled) executables?

I am getting the error message=3D3D3D3D3D3D3D3D20

database: SQL Server message 156, state 1, severity 15:
Incorrect syntax near the keyword 'schema'=3D3D3D3D3D2E
database: The above error was caused by the following statement:
SELECT vseq FROM schema

In MSSQL, schema is a reserved word, and the syntax would have to be =3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
SELECT
vseq FROM [schema] for this to work=3D3D3D3D3D2E I have used previous =3D
versions =3D3D
=3D3D3D
of =3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
snort
to log to MSSQL with no difficulty=3D3D3D3D3D2E

Could this problem arise from a configuration mistake I have made, or is =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
the
problem in snort=3D3D3D3D3D2Eexe itself?

Thanks for any help you can provide=3D3D3D3D3D2E

Mark Robbins


------_=3D3D3D3D3D3D3D3D3D_NextPart_001_01C27B8D=3D3D3D3D3D2E48E86470
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3=3D3D3D3D3D2E2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D3D3D3D3D3D3D3D3D3D"Content-Type" CONTENT=3D3D3D3D3D3D3D3=
D3D3=3D
D"te=3D3D
xt/h=3D3D3D
tml;=3D3D3D3D
 =3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
charset=3D3D3D3D3D3D3D3D3D3Dus-ascii">
<META NAME=3D3D3D3D3D3D3D3D3D3D"Generator" CONTENT=3D3D3D3D3D3D3D3D3D3D"MS =
=3D3D
Exchange =3D3D3D
Server =3D3D3D3D
version =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
5=3D3D3D3D3D2E5=3D3D3D3D3D2E2653=3D3D3D3D3D2E12">
<TITLE>Snort 1=3D3D3D3D3D2E9=3D3D3D3D3D2E0 on Windows and MSSQL</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D3D3D3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D3D3D3D"Arial">Has =
=3D
anyone =3D3D
gotten =3D3D3D
=3D3D3D3D
Snort 1=3D3D3D3D3D2E9=3D3D3D3D3D2E=3D3D3D3D3D
0 =3D3D3D3D3D3D
to =3D3D3D3D3D3D3D
log =3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
to an MSSQL database with the available (compiled) executables?</FONT>
</P>

<P><FONT SIZE=3D3D3D3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D3D3D3D"Arial">I am =
=3D
getting =3D3D
the =3D3D3D
=3D3D3D3D
error =3D3D3D3D3D3D
message =3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
</FONT>
</P>

<P><FONT SIZE=3D3D3D3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D3D3D3D"Arial">databa=
se: =3D
SQL =3D3D
=3D3D3D
Server =3D3D3D3D
message =3D3D3D3D3D3D
156, =3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
state 1, severity 15:<BR>
Incorrect syntax near the keyword 'schema'=3D3D3D3D3D2E</FONT>
<BR><FONT SIZE=3D3D3D3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D3D3D3D"Arial">datab=
ase:=3D
 =3D3D
The =3D3D3D
above =3D3D3D3D
error =3D3D3D3D3D3D
was =3D3D3D3D3D3D3D
caused =3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
by the following statement:<BR>
SELECT vseq FROM schema</FONT>
</P>

<P><FONT SIZE=3D3D3D3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D3D3D3D"Arial">In =
MSSQL, =3D
=3D3D
schema =3D3D3D
is a =3D3D3D3D
=3D3D3D3D3D3D
reserved =3D3D3D3D3D3D3D
word, =3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
and the syntax would have to be SELECT vseq FROM [schema] for this to =
=3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
work=3D3D3D3D3D2E I have used previous versions of snort to log to MSSQL =
=3D
with =3D3D
no =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
difficulty=3D3D3D3D3D2E</FONT></P>

<P><FONT SIZE=3D3D3D3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D3D3D3D"Arial">Could =
=3D
this =3D3D
=3D3D3D
problem =3D3D3D3D
arise from =3D3D3D3D3D3D
a =3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
configuration mistake I have made, or is the problem in snort=3D3D3D3D3D2Ee=
xe=3D
 =3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D3D
itself?</FONT>
</P>

<P><FONT SIZE=3D3D3D3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D3D3D3D"Arial">Thanks=
 =3D
for =3D3D
any =3D3D3D
help =3D3D3D3D
you can =3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
provide=3D3D3D3D3D2E</FONT>
</P>

<P><FONT SIZE=3D3D3D3D3D3D3D3D3D3D2 FACE=3D3D3D3D3D3D3D3D3D3D"Arial">Mark =
=3D3D
Robbins</FONT=3D3D3D
>
</P>

</BODY>
</HTML>
------_=3D3D3D3D3D3D3D3D3D_NextPart_001_01C27B8D=3D3D3D3D3D2E48E86470--


--         __--__--        =3D3D3D3D3D3D3D20

Message: 3
Date: Thu, 24 Oct 2002 11:54:27 -0700
From: "Mike Cole" <Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg>
Reply-To: Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg
To: <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2409 - 1 msg

I'm out of the office until Monday the 28th=3D3D3D3D3D2E  If this is a =
=3D3D
pressing =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
matter, please call me @ 209=3D3D3D3D3D2E569=3D3D3D3D3D2E3910 and I'll do =
my =3D
best =3D3D
to =3D3D3D
get =3D3D3D3D
back to =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
you=3D3D3D3D3D2E

Mike

>>> snort-users 10/24/02 11:43 >>>

Send Snort-users mailing list submissions to
	snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinf=
o/sn=3D
ort-=3D3D
user=3D3D3D
s
or, via email, send a message with subject or body 'help' to
	snort-users-request at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

You can reach the person managing the list at
	snort-users-admin at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D=
3D2E"


Today's Topics:

   1=3D3D3D3D3D2E Re: Snort-users digest, Vol 1 #2408 - 3 msgs (Mike Cole)

--          __--__--         =3D3D3D3D3D3D3D3D20

Message: 1
Date: Thu, 24 Oct 2002 11:46:29 -0700
From: "Mike Cole" <Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg>
Reply-To: Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg
To: <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2408 - 3 msgs

I'm out of the office until Monday the 28th=3D3D3D3D3D2E  If this is a =
=3D3D
pressing =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
matter, please call me @ 209=3D3D3D3D3D2E569=3D3D3D3D3D2E3910 and I'll do =
my =3D
best =3D3D
to =3D3D3D
get =3D3D3D3D
back to =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
you=3D3D3D3D3D2E

Mike

>>> snort-users 10/24/02 11:36 >>>

Send Snort-users mailing list submissions to
	snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinf=
o/sn=3D
ort-=3D3D
user=3D3D3D
s
or, via email, send a message with subject or body 'help' to
	snort-users-request at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

You can reach the person managing the list at
	snort-users-admin at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D=
3D2E"


Today's Topics:

   1=3D3D3D3D3D2E Re: Snort-users digest, Vol 1 #2407 - 12 msgs (Mike =
Cole)
   2=3D3D3D3D3D2E RE: Portscan 2 question (Soren Macbeth)
   3=3D3D3D3D3D2E Re: Portscan 2 question (Gary Verhulp)

--           __--__--          =3D3D3D3D3D3D3D3D3D20

Message: 1
Date: Thu, 24 Oct 2002 11:36:47 -0700
From: "Mike Cole" <Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg>
Reply-To: Mike=3D3D3D3D3D2ECole at ...7286...=3D3D3D3D3D2Eorg
To: <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2407 - 12 msgs

I'm out of the office until Monday the 28th=3D3D3D3D3D2E  If this is a =
=3D3D
pressing =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
matter, please call me @ 209=3D3D3D3D3D2E569=3D3D3D3D3D2E3910 and I'll do =
my =3D
best =3D3D
to =3D3D3D
get =3D3D3D3D
back to =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
you=3D3D3D3D3D2E

Mike

>>> snort-users 10/24/02 11:26 >>>

Send Snort-users mailing list submissions to
	snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinf=
o/sn=3D
ort-=3D3D
user=3D3D3D
s
or, via email, send a message with subject or body 'help' to
	snort-users-request at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

You can reach the person managing the list at
	snort-users-admin at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D=
3D2E"


Today's Topics:

   1=3D3D3D3D3D2E RE: UDP packet supposedly DROPped, but seen by snor
       t anyway (Matt Yackley)
   2=3D3D3D3D3D2E RE: UDP packet supposedly DROPped, but seen by snort =3D
anyway =3D3D
=3D3D3D
(Jan =3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
Ploski)
   3=3D3D3D3D3D2E RE: PROBLEMAS (Kreimendahl, Chad J)
   4=3D3D3D3D3D2E Portscan 2 question (Joe Giles)
   5=3D3D3D3D3D2E Re: dual inteface? (Bennett Todd)
   6=3D3D3D3D3D2E RE: Portscan 2 question (Joe Giles)
   7=3D3D3D3D3D2E RE: Portscan 2 question (Soren Macbeth)
   8=3D3D3D3D3D2E Re: Portscan 2 question (Joe Giles)
   9=3D3D3D3D3D2E Re: Portscan 2 question (Joe Giles)
  10=3D3D3D3D3D2E Re: Portscan 2 question (Joe Giles)
  11=3D3D3D3D3D2E RE: Portscan 2 question (Joe Giles)

--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 1
From: Matt Yackley <Matt=3D3D3D3D3D2EYackley at ...7293...=3D3D3D3D3D2Ecom>
To: 'Jan Ploski' <jpljpl at ...7294...=3D3D3D3D3D2Ede>, snort-users at ...7312.....=3D3D3D3D3D2=
Esou=3D
rcef=3D3D
orge=3D3D3D
=3D3D3D3D3D2=3D3D3D3D
Enet
Subject: RE: [Snort-users] UDP packet supposedly DROPped, but seen by snor
	t anyway
Date: Thu, 24 Oct 2002 11:23:35 -0500

Jan, it sounds like you are running Snort on the iptables box, AFAIK =3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
libpcap
grabs the packet when it hits the NIC, iptables is rejecting the packet =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
but
that happens at a higher level than libpcap & snort work at=3D3D3D3D3D2E =
=3D
=3D3D3D
=3D3D3D3D3D3D3D3D3=3D3D3D3D
D3D3D20
Others here will expand more but my guess as to why the TCP is not picked =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
up
by snort is due to the way the rules are written and the way TCP connection=
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
s
are handled=3D3D3D3D3D2E  Most rules for TCP type connections will require =
a =3D
=3D3D
=3D3D3D
3way
handshake to be completed before something like a cmd=3D3D3D3D3D2Eexe =3D
attempt =3D3D
is =3D3D3D
=3D3D3D3D
sent=3D3D3D3D3D2E
If this type of connection is blocked at the start it never gets to the
point of sending a packet that triggers the rule=3D3D3D3D3D2E  This UDP =
rule =3D
=3D3D
=3D3D3D
will
trigger with the first packet sent since it does not need a 3 way =3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
handshake
to be completed=3D3D3D3D3D2E

Anyway, that is my quick stab at this, everyone else please feel free to
correct me where I am wrong :)

Matt

-----Original Message-----
From: Jan Ploski [mailto:jpljpl at ...7294...=3D3D3D3D3D2Ede]
Sent: Thursday, October 24, 2002 10:23 AM
To: snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Subject: [Snort-users] UDP packet supposedly DROPped, but seen by snort
anyway


Hello,

I have the following rule in my Linux iptables configuration:

iptables -A block -m state --state NEW -p udp --dport 161 -j DROP

Basically, I want to ignore any traffic to UDP port 161=3D3D3D3D3D2E This =
=3D
rule
seems to work okay, i=3D3D3D3D3D2Ee=3D3D3D3D3D2E it fires when a packet is =
=3D
sent to =3D3D
the =3D3D3D
=3D3D3D3D
said
port and the packet is never received by the process listening on
that port=3D3D3D3D3D2E

However, when I run snort in sniffer mode, I can see the packet
coming=3D3D3D3D3D2E It also triggers an alert (false positive in this =
case)
according to configured snort rules=3D3D3D3D3D2E

My question is, why can this UDP packet, supposedly already dropped
by the firewall, be sniffed at? This is not the case for any TCP
packets that have been DROPped=3D3D3D3D3D2E

Best regards -
Jan Ploski



-------------------------------------------------------
This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3D3=
D3D3=3D
D3D3=3D3D
D3D3=3D3D3D
D3D2=3D3D3D3D
0
of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3D3=
D3D3=3D
D3D2=3D3D
0
Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D3D20
http://ad=3D3D3D3D3D2Edoubleclick=3D3D3D3D3D2Enet/clk;4729346;7592162;s?htt=
p://=3D
www=3D3D
=3D3D3D3D3D=3D3D3D
2Esun=3D3D3D3D
=3D3D3D3D3D2Ecom/javavo=3D3D3D3D3D
te=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Go to this URL to change user options or unsubscribe:
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s
Snort-users list archive:
http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Ephp3=
?list=3D
=3D3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
3D3D3Dsn=3D3D3D3D
ort-users


--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 2
Date: Thu, 24 Oct 2002 18:41:34 +0200 (CEST)
From: Jan Ploski <jpljpl at ...7294...=3D3D3D3D3D2Ede>
To: snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Subject: RE: [Snort-users] UDP packet supposedly DROPped, but seen by =
=3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
snort anyway

On Thu, Oct 24, 2002 at 11:23:35AM -0500, Matt Yackley wrote:
> Jan, it sounds like you are running Snort on the iptables box, AFAIK =
=3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
libpcap
> grabs the packet when it hits the NIC, iptables is rejecting the packet =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
but
> that happens at a higher level than libpcap & snort work at=3D3D3D3D3D2E =
=3D
=3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D2=3D3D3D3D3D3D
0
> Others here will expand more but my guess as to why the TCP is not =3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
picked up
> by snort is due to the way the rules are written and the way TCP =3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
connections
> are handled=3D3D3D3D3D2E  Most rules for TCP type connections will =
require =3D
a =3D3D
=3D3D3D
=3D3D3D3D
3way
> handshake to be completed before something like a cmd=3D3D3D3D3D2Eexe =
=3D3D
attempt =3D3D3D
is =3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
sent=3D3D3D3D3D2E
> If this type of connection is blocked at the start it never gets to the
> point of sending a packet that triggers the rule=3D3D3D3D3D2E  This UDP =
=3D
rule =3D3D
=3D3D3D
=3D3D3D3D
will
> trigger with the first packet sent since it does not need a 3 way =3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
handshake
> to be completed=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> Anyway, that is my quick stab at this, everyone else please feel free to
> correct me where I am wrong :)

Matt,

you are entirely correct, and I have also received similiar suggestions
from other people on this list via private email (thanks again!)=3D3D3D3D3D=
2E=3D

The TCP SYN packet used to establish a connection indeed makes it
through to snort, much like the UDP packet=3D3D3D3D3D2E Too bad I did not =
=3D
=3D3D
check
this before posting=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E :-(

As someone else suggested: "write a pass rule for it or you can
use a bpf filter (not udp port 161) to ignore the traffic"=3D3D3D3D3D2E =
This =3D
=3D3D
is
indeed a good solution, as I know that port 161 is closed on the
monitored box=3D3D3D3D3D2E

Best regards -
Jan Ploski



--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 3
Subject: RE: [Snort-users] PROBLEMAS
Date: Thu, 24 Oct 2002 11:46:53 -0500
From: "Kreimendahl, Chad J" <Chad=3D3D3D3D3D2EKreimendahl at ...7295...=3D3D3D3D3D2Ec=
om>
To: "Mario Alberto Soto Cordones" <mario_soto at ...7296...=3D3D3D3D3D2Ecl>,
   <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>


You may have to translate this back to spanish, 'cause my answer is
gonna be in english=3D3D3D3D3D2E

1=3D3D3D3D3D2E  Do you have the database tables set up for postgresql?
2=3D3D3D3D3D2E  When snort starts, do you see a connection made to the =
=3D3D
database?
3=3D3D3D3D3D2E  If no: Have you configured in snort=3D3D3D3D3D2Econf =
"output =3D
=3D3D
database
postgresql: =3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D=
2E"?

-----Original Message-----
From: Mario Alberto Soto Cordones [mailto:mario_soto at ...7296...=3D3D3D3D3D2Ec=
l]=3D
=3D3D
=3D3D3D3D3=3D3D3D
D3D3=3D3D3D3D
D3D3D3D3=3D3D3D3D3D3D
D3=3D3D3D3D3D3D3D
D2=3D3D3D3D3D3D3D3D
0
Sent: Thursday, October 24, 2002 1:09 PM
To: snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Subject: [Snort-users] PROBLEMAS


Tengo instalado snort en un RH 8=3D3D3D3D3D2E0, y quiero enviar los logs a =
=3D
una =3D3D
=3D3D3D
=3D3D3D3D
base
de=3D3D3D3D3D3D3D3D3D3D3D3D20
datos postgresql para que interactue con acid=3D3D3D3D3D2E

Mi problema es que no se llena la base de datos con los alert del =
=3D3D3D3D
snort=3D3D3D3D3D2E

Ayudenme porfavor=3D3D3D3D3D2E





-------------------------------------------------------
This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3D3=
D3D3=3D
D3D3=3D3D
D3D3=3D3D3D
D3D3=3D3D3D3D
D20
of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3D3=
D3D3=3D
D3D3=3D3D
D20
Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D3D3D20
http://ad=3D3D3D3D3D2Edoubleclick=3D3D3D3D3D2Enet/clk;4729346;7592162;s?htt=
p://=3D
www=3D3D
=3D3D3D3D3D=3D3D3D
2Esun=3D3D3D3D
=3D3D3D3D3D2Ecom/javav
ote
_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Go to this URL to change user options or unsubscribe:
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s
Snort-users list archive:
http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Ephp3=
?list=3D
=3D3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
3D3D3D3D=3D3D3D3D
snort-users


--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 4
From: Joe Giles <jgiles at ...7288...=3D3D3D3D3D2Ecom>
To: Snort-List <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Date: 24 Oct 2002 11:22:36 -0600
Subject: [Snort-users] Portscan 2 question

I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D3D
Apparently=3D3D3D
,
my server did a port scan on a remote machine=3D3D3D3D3D2E The problem is =
=3D
that =3D3D
=3D3D3D
no
one here initiated a port scan=3D3D3D3D3D2E The database lists my server =
IP =3D
as =3D3D
=3D3D3D
the
source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portscan2=
=3D3D3=3D
D3D3=3D3D
D2E =3D3D3D
=3D3D3D3D
Does the
new snort scan other machines on the Internet? I don't want any issues
with other services because they think I'm port scanning their network=3D3D=
3D=3D
3D=3D3D
3D=3D3D3D
2E=3D3D3D3D


Thanks

Joe





--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 5
Date: Thu, 24 Oct 2002 13:28:44 -0400
From: Bennett Todd <bet at ...7297...=3D3D3D3D3D2Enet>
To: Daniel Curry <dcurry at ...7292...=3D3D3D3D3D2Ecom>
Cc: snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Subject: Re: [Snort-users] dual inteface?


--4zI0WCX1RcnW9Hbu
Content-Type: text/plain; charset=3D3D3D3D3D3D3D3D3D3D3D3Dus-ascii
Content-Disposition: inline

2002-10-24-11:28:04 Daniel Curry:
>  I had lost the email that gave information
> on how to configure snort to see two, eth2 and eth3,
> promicus interfaces on a redhat 7=3D3D3D3D3D2E2 system?

I think you're perhaps talking about this?

---------------------------------------------------------------------------=
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
---

Version 1=3D3D3D3D3D2E2 --- that promisc is only needed on the bond0 =3D
interface

Version 1=3D3D3D3D3D2E1 --- need to explicitly "promisc" on the ifconfigs;
	snort's putting the -i bond0 into promisc didn't propogate
	back through to the underlying eth interfaces=3D3D3D3D3D2E

---------------------------------------------------------------------------=
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
---

In Red Hat 7=3D3D3D3D3D2E3, with the default 2=3D3D3D3D3D2E4=3D3D3D3D3D2E18=
-3 =3D
kernel, =3D3D
it's =3D3D3D
really =3D3D3D3D
easy
to bond multiple channels to snort them all=3D3D3D3D3D2E The technique is
documented in /usr/src/linux/Documentation/networking/bonding=3D3D3D3D3D2Et=
xt=3D
=3D3D
=3D3D3D3D3=3D3D3D
D2E
In brief:

	grep bond0 /etc/modules=3D3D3D3D3D2Econf || echo alias bond0 =
bonding =3D
=3D3D
=3D3D3D3D
>/etc/modu=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
les=3D3D3D3D3D2Econf
	ifconfig bond0 promisc up
	for if in eth1 eth2 =3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E;do
		ifconfig $if up
		ifenslave bond0 $if
	done
	snort =3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E -i bond0 =3D3D3D3D3D2=
E=3D3D3D3D=3D
3D2E=3D3D3D3D3=3D3D
D2E

Works great=3D3D3D3D3D2E The ifenslave invocations whinge a bit about all =
=3D
the
things they can't do with the unnumbered interfaces, but it all
works=3D3D3D3D3D2E

I used 3 Compaq DL-320s for a test setup=3D3D3D3D3D2E Each of these comes =
=3D
with
two eepro100 interfaces; in one I've added a third such interface in
the PCI slot=3D3D3D3D3D2E On each box the eth0 is the mgmt interface (NB =
=3D
when
you add a PCI card eepro100 it becomes eth0 and the two builtin NICs
renumber to eth1 and eth2)=3D3D3D3D3D2E

Besides running the eth0 interfaces to a hub, I tied the two eth1s
from the dual-interface traffic generators to the eth1 and eth2
builtins on the 3-interface box, with crossover cables, running
100BaseT=3D3D3D3D3D2E I used the above invocations to get snort cooking =
with
its default sigs, listening to bond0 with eth1 and eth2 enslaved to
it=3D3D3D3D3D2E Snort sat idle=3D3D3D3D3D2E I fired up a ping -f on one of =
the =3D
=3D3D3D
generators
and snort jumped up to 25% CPU; then launched ping -f on the
other generator and it jumped to 55%=3D3D3D3D3D2E Each generator was =3D
emitting
c=3D3D3D3D3D2E 20,000 packets/second, default ping packet size (64 =
bytes)=3D3D3=3D
D3D3=3D3D
D2E

When I next tried tcpreplay[1], all was not as happy, until I
stumbled across the above-mentioned need to promisc the bond0
interface manually as you're ifconfigging it=3D3D3D3D3D2E Actually, what I =
=3D
=3D3D
first
did was ifconfig both the bond0 and the underlying eth# interfaces
promisc; that worked too, but was overkill=3D3D3D3D3D2E When I inquired =
=3D
about
this matter on the bonding-devel mailing list, they explained to me
that flags like promisc _Are_ propogated down to the underlying
interfaces, but only at ifenslave time, not later=3D3D3D3D3D2E

Once I got that, things got lots more better=3D3D3D3D3D2E Do remember when
benchmarking with tcpreplay to make sure to tcpdump -s 0, so you
aren't using captures with truncated packets=3D3D3D3D3D2E

-Bennett

[1] <URL:http://tcpreplay=3D3D3D3D3D2Esf=3D3D3D3D3D2Enet/>

--4zI0WCX1RcnW9Hbu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1=3D3D3D3D3D2E0=3D3D3D3D3D2E7 (GNU/Linux)

iD8DBQE9uC3MHZWg9mCTffwRAgl4AJwPNKA0sb29K5VdNH1tkjtNeN262gCdEHIT
goT0xSBgTN0XxdUVPXyXAyQ=3D3D3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D3DSRdE
-----END PGP SIGNATURE-----

--4zI0WCX1RcnW9Hbu--


--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 6
Subject: RE: [Snort-users] Portscan 2 question
From: Joe Giles <jgiles at ...7288...=3D3D3D3D3D2Ecom>
To: "Hicks, John" <JHicks at ...7289...=3D3D3D3D3D2EGC=3D3D3D3D3D2ECA>
Cc: Snort-List <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Date: 24 Oct 2002 11:54:41 -0600

Wheew=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E I though I was hacked or =3D
something=3D3D3D3D3D2=3D3D
E I =3D3D3D
thought =3D3D3D3D
some one was
using my server as a proxy to scan other networks :-P

I'm not sure how to alleviate this problem, but maybe the Snort guru's
can figure it out :)

Thanks

Joe

On Thu, 2002-10-24 at 11:46, Hicks, John wrote:
> I'm noticing the same thing after instaling 1=3D3D3D3D3D2E9 on a Web =
=3D3D
Server=3D3D3D3D3=3D3D3D
D2E =3D3D3D3D
It =3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
seems to
> detect my $HOME_NET address replying to multiple web requests on various
> ephemeral ports as a portscan=3D3D3D3D3D2E any thoughts on how to =
control =3D
=3D3D
=3D3D3D
this? =3D3D3D3D
I =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
tried
> the ignorehosts to no avail :(
>=3D3D3D3D3D3D3D3D3D3D3D20
> John
>=3D3D3D3D3D3D3D3D3D3D3D20
> -----Original Message-----
> From: Joe Giles [mailto:jgiles at ...7288...=3D3D3D3D3D2Ecom]
> Sent: Thursday, October 24, 2002 1:23 PM
> To: Snort-List
> Subject: [Snort-users] Portscan 2 question
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
> I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D
=3D3D3D
Apparently=3D3D3D3D
,
> my server did a port scan on a remote machine=3D3D3D3D3D2E The problem =
is =3D
=3D3D
that =3D3D3D
=3D3D3D3D
no
> one here initiated a port scan=3D3D3D3D3D2E The database lists my server =
=3D
IP =3D3D
as =3D3D3D
=3D3D3D3D
the
> source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portscan2=
=3D
=3D3D3D3=3D3D
D3D2=3D3D3D
E =3D3D3D3D
Does the
> new snort scan other machines on the Internet? I don't want any issues
> with other services because they think I'm port scanning their network=3D=
3D=3D
3D=3D3D
3D=3D3D3D
3D=3D3D3D3D
2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> Thanks
>=3D3D3D3D3D3D3D3D3D3D3D20
> Joe
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
> -------------------------------------------------------
> This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3=
D3D3=3D
D3D3=3D3D
D3D3=3D3D3D
D3D3=3D3D3D3D
D20
> of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3=
D3D3=3D
D3D3=3D3D
D20
> Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D3D20
> http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3=
D3D3D2=3D
Epl?su=3D3D
nm0003=3D3D3D
en
> _______________________________________________
> Snort-users mailing list
> Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> Go to this URL to change user options or unsubscribe:
> https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snor=
t-us=3D
ers
> Snort-users list archive:
> http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Eph=
p3?lis=3D
t=3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
3D3D3D3D=3D3D3D3D
snort-users




--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 7
From: Soren Macbeth <smacbeth at ...7298...=3D3D3D3D3D2Ecom>
To: Snort-List <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Subject: RE: [Snort-users] Portscan 2 question
Date: Thu, 24 Oct 2002 14:02:40 -0400

Looks at the ports that portscan2 reported=3D3D3D3D3D2E Sometime clients =
=3D
=3D3D3D
browsing
websites cause portscan2 to trigger based on the fact that some browsers
initiate a new connection (and thus, new port) for each image=3D3D3D3D3D2E =
=3D
If =3D3D
=3D3D3D
you
haven't change the config, there should be a scan=3D3D3D3D3D2Elog file in =
=3D
your =3D3D
=3D3D3D
=3D3D3D3D
snort =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
log
directory which will have more info=3D3D3D3D3D2E

//soren=3D3D3D3D3D3D3D3D3D3D3D20

-----Original Message-----
From: Joe Giles [mailto:jgiles at ...7288...=3D3D3D3D3D2Ecom]=3D3D3D3D3D3D3D3D3D3=
D3D2=3D
0
Sent: Thursday, October 24, 2002 1:23 PM
To: Snort-List
Subject: [Snort-users] Portscan 2 question

I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D3D
Apparently=3D3D3D
,
my server did a port scan on a remote machine=3D3D3D3D3D2E The problem is =
=3D
that =3D3D
=3D3D3D
no
one here initiated a port scan=3D3D3D3D3D2E The database lists my server =
IP =3D
as =3D3D
=3D3D3D
the
source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portscan2=
=3D3D3=3D
D3D3=3D3D
D2E =3D3D3D
=3D3D3D3D
Does the
new snort scan other machines on the Internet? I don't want any issues
with other services because they think I'm port scanning their network=3D3D=
3D=3D
3D=3D3D
3D=3D3D3D
2E=3D3D3D3D


Thanks

Joe





-------------------------------------------------------
This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3D3=
D3D3=3D
D3D3=3D3D
D3D3=3D3D3D
D3D2=3D3D3D3D
0
of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3D3=
D3D3=3D
D3D2=3D3D
0
Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D3D20
http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3D3=
D3D2Ep=3D
l?sunm=3D3D
0003en=3D3D3D

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Go to this URL to change user options or unsubscribe:
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s
Snort-users list archive:
http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Ephp3=
?list=3D
=3D3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
3D3D3Dsn=3D3D3D3D
ort-users


--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 8
Subject: Re: [Snort-users] Portscan 2 question
From: Joe Giles <jgiles at ...7288...=3D3D3D3D3D2Ecom>
To: Robby Desmond <rdesmond at ...7299...=3D3D3D3D3D2Eucsb=3D3D3D3D3D2Eedu>
Cc: Snort-List <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Date: 24 Oct 2002 12:12:44 -0600

Well, I'm not RUNNING a DNS server, but I use one=3D3D3D3D3D2E My ISP's =
=3D
=3D3D3D
DNS=3D3D3D3D3D2E=3D3D3D3D3D=3D3D3D3D
2E=3D3D3D3D3D2E
Should I add that to the list?=3D3D3D3D3D3D3D3D3D3D3D20

Also, I don't seem to have the 'lasts' command=3D3D3D3D3D2E What package =
is =3D
=3D3D
that
part of?

Thanks for the reply

Joe

On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
> At 11:22 AM 10/24/02 -0600, you wrote:
> >I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D
=3D3D
=3D3D3D3D
Apparently,
> >my server did a port scan on a remote machine=3D3D3D3D3D2E The problem =
is =3D
=3D3D
=3D3D3D
that =3D3D3D3D
no
> >one here initiated a port scan=3D3D3D3D3D2E The database lists my =
server =3D
IP =3D3D
=3D3D3D
as =3D3D3D3D
the
> >source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portscan=
2=3D
=3D3D3D=3D3D
3D3D=3D3D3D
2E =3D3D3D3D
Does the
> >new snort scan other machines on the Internet? I don't want any issues
> >with other services because they think I'm port scanning their =
=3D3D3D3D
network=3D3D3D3D3D2E
> >
> >Thanks
> >
> >Joe
>=3D3D3D3D3D3D3D3D3D3D3D20
> Are you, by chance, running DNS?
>=3D3D3D3D3D3D3D3D3D3D3D20
> You should add your DNS servers to the list of portscan2-ignorehosts,=3D3=
D3=3D
D3=3D3D
D3=3D3D3D
D3=3D3D3D3D
D3D3=3D3D3D3D3D3D
D3=3D3D3D3D3D3D3D
D3=3D3D3D3D3D3D3D3D
D3=3D3D3D3D3D3D3D3D3D
D2=3D3D3D3D3D3D3D3D3D3D
0
> otherwise you will get this sort of activity=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> If you are not running DNS, then check the "lasts" command to see who =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
has=3D3D3D3D3D3D3D3D3D3D3D20
> been on your system=3D3D3D3D3D2E (Or who has been appearing as someone =
on =3D
=3D3D
your =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
system=3D3D3D3D3D2E)
>=3D3D3D3D3D3D3D3D3D3D3D20
> -Robby
>=3D3D3D3D3D3D3D3D3D3D3D20
> Robert Desmond
> Systems Administrator
> UCSB Extended Learning Services
> 805-893-4906




--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 9
Subject: Re: [Snort-users] Portscan 2 question
From: Joe Giles <jgiles at ...7288...=3D3D3D3D3D2Ecom>
To: Robby Desmond <rdesmond at ...7299...=3D3D3D3D3D2Eucsb=3D3D3D3D3D2Eedu>
Cc: Snort-List <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Date: 24 Oct 2002 12:15:54 -0600

I also checked the history files of the 5 users I do have and nothing in
there indicates that nmap or nessus or any other scanner was ran=3D3D3D3D3D=
2E=3D
 =3D3D
=3D3D3D
And
there was no sudo or su command initiated=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D=
3D20=3D


Thanks

Joe

On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
> At 11:22 AM 10/24/02 -0600, you wrote:
> >I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D
=3D3D
=3D3D3D3D
Apparently,
> >my server did a port scan on a remote machine=3D3D3D3D3D2E The problem =
is =3D
=3D3D
=3D3D3D
that =3D3D3D3D
no
> >one here initiated a port scan=3D3D3D3D3D2E The database lists my =
server =3D
IP =3D3D
=3D3D3D
as =3D3D3D3D
the
> >source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portscan=
2=3D
=3D3D3D=3D3D
3D3D=3D3D3D
2E =3D3D3D3D
Does the
> >new snort scan other machines on the Internet? I don't want any issues
> >with other services because they think I'm port scanning their =
=3D3D3D3D
network=3D3D3D3D3D2E
> >
> >Thanks
> >
> >Joe
>=3D3D3D3D3D3D3D3D3D3D3D20
> Are you, by chance, running DNS?
>=3D3D3D3D3D3D3D3D3D3D3D20
> You should add your DNS servers to the list of portscan2-ignorehosts,=3D3=
D3=3D
D3=3D3D
D3=3D3D3D
D3=3D3D3D3D
D3D3=3D3D3D3D3D3D
D3=3D3D3D3D3D3D3D
D3=3D3D3D3D3D3D3D3D
D3=3D3D3D3D3D3D3D3D3D
D2=3D3D3D3D3D3D3D3D3D3D
0
> otherwise you will get this sort of activity=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> If you are not running DNS, then check the "lasts" command to see who =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
has=3D3D3D3D3D3D3D3D3D3D3D20
> been on your system=3D3D3D3D3D2E (Or who has been appearing as someone =
on =3D
=3D3D
your =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
system=3D3D3D3D3D2E)
>=3D3D3D3D3D3D3D3D3D3D3D20
> -Robby
>=3D3D3D3D3D3D3D3D3D3D3D20
> Robert Desmond
> Systems Administrator
> UCSB Extended Learning Services
> 805-893-4906




--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 10
Subject: Re: [Snort-users] Portscan 2 question
From: Joe Giles <jgiles at ...7288...=3D3D3D3D3D2Ecom>
To: Robby Desmond <rdesmond at ...7299...=3D3D3D3D3D2Eucsb=3D3D3D3D3D2Eedu>
Cc: Snort-List <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Date: 24 Oct 2002 12:21:58 -0600

Hay, that is a neat command :)=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D3D20

Well, according to last, no one logged on but me during the time of the
"Issue"=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D3D20

Thanks=3D3D3D3D3D2E I will add my ISP's DNS to the list and see if that =
=3D
=3D3D3D
helps=3D3D3D3D3D2E =3D3D3D3D
This
is the first time I have seen this message in ACID since I upgraded to
the new snort=3D3D3D3D3D2E That was better than a week ago=3D3D3D3D3D2E

Thanks

Joe

On Thu, 2002-10-24 at 12:16, Robby Desmond wrote:
> At 12:12 PM 10/24/02 -0600, you wrote:
> >Well, I'm not RUNNING a DNS server, but I use one=3D3D3D3D3D2E My ISP's =
=3D
=3D3D
=3D3D3D3D
DNS=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E
> >Should I add that to the list?
>=3D3D3D3D3D3D3D3D3D3D3D20
> Yes=3D3D3D3D3D2E That will reduce your portscan alerts, but doesn't =
solve =3D
=3D3D
the =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
problem=3D3D3D3D3D3D3D3D3D3D3D20
> of your host causing portscan alerts=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> >Also, I don't seem to have the 'lasts' command=3D3D3D3D3D2E What =
package =3D
is =3D3D
=3D3D3D
=3D3D3D3D
that
> >part of?
>=3D3D3D3D3D3D3D3D3D3D3D20
> Oops=3D3D3D3D3D2E Make that singular "last"=3D3D3D3D3D2E  It is a =
standard =3D
UNIX =3D3D
=3D3D3D3D
tool=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> >Thanks for the reply
> >
> >Joe
>=3D3D3D3D3D3D3D3D3D3D3D20
> No prob=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> You might also want to check to see if any of the services you run =3D
=3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
from=3D3D3D3D3D3D3D3D3D3D3D20
> your server periodically scan hosts for some reason=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> HTH,
> -Robby
>=3D3D3D3D3D3D3D3D3D3D3D20
> Robert Desmond
> Systems Administrator
> UCSB Extended Learning Services
> 805-893-4906




--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

Message: 11
Subject: RE: [Snort-users] Portscan 2 question
From: Joe Giles <jgiles at ...7288...=3D3D3D3D3D2Ecom>
To: Soren Macbeth <smacbeth at ...7298...=3D3D3D3D3D2Ecom>
Cc: Snort-List <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Date: 24 Oct 2002 12:26:18 -0600

Here is what I found in that scan=3D3D3D3D3D2Elog file for the 2 dest =
=3D3D
IP's=3D3D3D3D3D2E=3D3D3D
=3D3D3D3D3D2=3D3D3D3D
E=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3=3D3D3D3D3D
D3D3=3D3D3D3D3D3D
D2=3D3D3D3D3D3D3D
0

Instance 1>
10/17-14:29:25=3D3D3D3D3D2E712618  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525
10/18-12:05:07=3D3D3D3D3D2E946026  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
1641 dport: 27160 tgts: 9 ports: 130 event_id: 400
10/18-13:22:24=3D3D3D3D3D2E504843  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
2804 dport: 27160 tgts: 8 ports: 121 event_id: 433
10/18-13:33:27=3D3D3D3D3D2E113376  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
3782 dport: 27160 tgts: 9 ports: 139 event_id: 450
10/18-13:36:00=3D3D3D3D3D2E675879  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
4825 dport: 27160 tgts: 10 ports: 158 event_id: 458
10/18-14:52:00=3D3D3D3D3D2E545930  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021
10/18-19:04:12=3D3D3D3D3D2E292185  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161
10/19-12:38:43=3D3D3D3D3D2E719170  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417
10/19-19:16:04=3D3D3D3D3D2E828533  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585
10/19-19:41:53=3D3D3D3D3D2E321697  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600
10/19-21:13:32=3D3D3D3D3D2E829862  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639
10/22-14:51:35=3D3D3D3D3D2E899289  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
33952 dport: 27160 tgts: 3 ports: 21 event_id: 0

Instance 2>
10/23-11:17:52=3D3D3D3D3D2E681476  TCP src: <INTERNALIP> dst: 206=3D3D3D3D3=
D2E6=3D
5=3D3D3D=3D3D
3D3D2E=3D3D3D
183=3D3D3D3D3D=3D3D3D3D
2E110 sport:
1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0

What do you think?

Thanks

Joe


On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
> Looks at the ports that portscan2 reported=3D3D3D3D3D2E Sometime clients =
=3D
=3D3D
=3D3D3D3D
browsing
> websites cause portscan2 to trigger based on the fact that some browsers
> initiate a new connection (and thus, new port) for each image=3D3D3D3D3D2=
E =3D
=3D3D
If =3D3D3D
=3D3D3D3D
you
> haven't change the config, there should be a scan=3D3D3D3D3D2Elog file =
in =3D
=3D3D
your =3D3D3D
=3D3D3D3D
snort =3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D3D
log
> directory which will have more info=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> //soren=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
> -----Original Message-----
> From: Joe Giles [mailto:jgiles at ...7288...=3D3D3D3D3D2Ecom]=3D3D3D3D3D3D3D3D3=
D3D3=3D
D20
> Sent: Thursday, October 24, 2002 1:23 PM
> To: Snort-List
> Subject: [Snort-users] Portscan 2 question
>=3D3D3D3D3D3D3D3D3D3D3D20
> I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D
=3D3D3D
Apparently=3D3D3D3D
,
> my server did a port scan on a remote machine=3D3D3D3D3D2E The problem =
is =3D
=3D3D
that =3D3D3D
=3D3D3D3D
no
> one here initiated a port scan=3D3D3D3D3D2E The database lists my server =
=3D
IP =3D3D
as =3D3D3D
=3D3D3D3D
the
> source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portscan2=
=3D
=3D3D3D3=3D3D
D3D2=3D3D3D
E =3D3D3D3D
Does the
> new snort scan other machines on the Internet? I don't want any issues
> with other services because they think I'm port scanning their network=3D=
3D=3D
3D=3D3D
3D=3D3D3D
3D=3D3D3D3D
2E
>=3D3D3D3D3D3D3D3D3D3D3D20
> Thanks
>=3D3D3D3D3D3D3D3D3D3D3D20
> Joe
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
> -------------------------------------------------------
> This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3=
D3D3=3D
D3D3=3D3D
D3D3=3D3D3D
D3D3=3D3D3D3D
D20
> of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3=
D3D3=3D
D3D3=3D3D
D20
> Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D3D20
> http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3=
D3D3D2=3D
Epl?su=3D3D
nm0003=3D3D3D
en
> _______________________________________________
> Snort-users mailing list
> Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> Go to this URL to change user options or unsubscribe:
> https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snor=
t-us=3D
ers
> Snort-users list archive:
> http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Eph=
p3?lis=3D
t=3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
3D3D3D3D=3D3D3D3D
snort-users
>=3D3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D3D20
> -------------------------------------------------------
> This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3=
D3D3=3D
D3D3=3D3D
D3D3=3D3D3D
D3D3=3D3D3D3D
D20
> of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3=
D3D3=3D
D3D3=3D3D
D20
> Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D3D20
> http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3=
D3D3D2=3D
Epl?su=3D3D
nm0003=3D3D3D
en
> _______________________________________________
> Snort-users mailing list
> Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> Go to this URL to change user options or unsubscribe:
> https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snor=
t-us=3D
ers
> Snort-users list archive:
> http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Eph=
p3?lis=3D
t=3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
3D3D3D3D=3D3D3D3D
snort-users





--            __--__--           =3D3D3D3D3D3D3D3D3D3D20

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s


End of Snort-users Digest



--           __--__--          =3D3D3D3D3D3D3D3D3D20

Message: 2
From: Soren Macbeth <smacbeth at ...7298...=3D3D3D3D3D2Ecom>
To: 'Joe Giles' <jgiles at ...7288...=3D3D3D3D3D2Ecom>, Soren Macbeth
	 <smacbeth at ...7298...=3D3D3D3D3D2Ecom>
Cc: Snort-List <snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet>
Subject: RE: [Snort-users] Portscan 2 question
Date: Thu, 24 Oct 2002 14:32:59 -0400

I'm not sure about the udp dport 27160 stuff=3D3D3D3D3D2E Are you running =
=3D
some
application on that port? Its all traffic to on particular host=3D3D3D3D3D2=
E =3D
=3D3D
You =3D3D3D
=3D3D3D3D
may
want to check into that=3D3D3D3D3D2E

The second one is definitely benign web browsing=3D3D3D3D3D2E

//soren


-----Original Message-----
From: Joe Giles [mailto:jgiles at ...7288...=3D3D3D3D3D2Ecom]=3D3D3D3D3D3D3D3D3D3=
D20
Sent: Thursday, October 24, 2002 2:26 PM
To: Soren Macbeth
Cc: Snort-List
Subject: RE: [Snort-users] Portscan 2 question

Here is what I found in that scan=3D3D3D3D3D2Elog file for the 2 dest =
=3D3D
IP's=3D3D3D3D3D2E=3D3D3D
=3D3D3D3D3D2=3D3D3D3D
E=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3=3D3D3D3D3D
D3D2=3D3D3D3D3D3D
0

Instance 1>
10/17-14:29:25=3D3D3D3D3D2E712618  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
33905 dport: 27160 tgts: 10 ports: 114 event_id: 1525
10/18-12:05:07=3D3D3D3D3D2E946026  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
1641 dport: 27160 tgts: 9 ports: 130 event_id: 400
10/18-13:22:24=3D3D3D3D3D2E504843  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
2804 dport: 27160 tgts: 8 ports: 121 event_id: 433
10/18-13:33:27=3D3D3D3D3D2E113376  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
3782 dport: 27160 tgts: 9 ports: 139 event_id: 450
10/18-13:36:00=3D3D3D3D3D2E675879  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
4825 dport: 27160 tgts: 10 ports: 158 event_id: 458
10/18-14:52:00=3D3D3D3D3D2E545930  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
34177 dport: 27160 tgts: 7 ports: 129 event_id: 1021
10/18-19:04:12=3D3D3D3D3D2E292185  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
1628 dport: 27160 tgts: 10 ports: 130 event_id: 1161
10/19-12:38:43=3D3D3D3D3D2E719170  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
34139 dport: 27160 tgts: 9 ports: 126 event_id: 1417
10/19-19:16:04=3D3D3D3D3D2E828533  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
1637 dport: 27160 tgts: 11 ports: 129 event_id: 1585
10/19-19:41:53=3D3D3D3D3D2E321697  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
1649 dport: 27160 tgts: 10 ports: 125 event_id: 1600
10/19-21:13:32=3D3D3D3D3D2E829862  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
33921 dport: 27160 tgts: 11 ports: 112 event_id: 1639
10/22-14:51:35=3D3D3D3D3D2E899289  UDP src: <INTERNALIP> dst: 207=3D3D3D3D3=
D2E1=3D
9=3D3D3D=3D3D
3D3D2E=3D3D3D
97=3D3D3D3D3D2=3D3D3D3D
E119 sport:
33952 dport: 27160 tgts: 3 ports: 21 event_id: 0

Instance 2>
10/23-11:17:52=3D3D3D3D3D2E681476  TCP src: <INTERNALIP> dst: 206=3D3D3D3D3=
D2E6=3D
5=3D3D3D=3D3D
3D3D2E=3D3D3D
183=3D3D3D3D3D=3D3D3D3D
2E110 sport:
1097 dport: 80 tgts: 6 ports: 7 flags: ******S* event_id: 0

What do you think?

Thanks

Joe


On Thu, 2002-10-24 at 12:02, Soren Macbeth wrote:
> Looks at the ports that portscan2 reported=3D3D3D3D3D2E Sometime clients =
=3D
=3D3D
=3D3D3D3D
browsing
> websites cause portscan2 to trigger based on the fact that some browsers
> initiate a new connection (and thus, new port) for each image=3D3D3D3D3D2=
E =3D
=3D3D
If =3D3D3D
=3D3D3D3D
you
> haven't change the config, there should be a scan=3D3D3D3D3D2Elog file =
in =3D
=3D3D
your =3D3D3D
=3D3D3D3D
snort
log
> directory which will have more info=3D3D3D3D3D2E
>=3D3D3D3D3D3D3D3D3D3D20
> //soren=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
> -----Original Message-----
> From: Joe Giles [mailto:jgiles at ...7288...=3D3D3D3D3D2Ecom]=3D3D3D3D3D3D3D3D3=
D3D2=3D
0
> Sent: Thursday, October 24, 2002 1:23 PM
> To: Snort-List
> Subject: [Snort-users] Portscan 2 question
>=3D3D3D3D3D3D3D3D3D3D20
> I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D
=3D3D3D
Apparently=3D3D3D3D
,
> my server did a port scan on a remote machine=3D3D3D3D3D2E The problem =
is =3D
=3D3D
that =3D3D3D
=3D3D3D3D
no
> one here initiated a port scan=3D3D3D3D3D2E The database lists my server =
=3D
IP =3D3D
as =3D3D3D
=3D3D3D3D
the
> source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portscan2=
=3D
=3D3D3D3=3D3D
D3D2=3D3D3D
E =3D3D3D3D
Does the
> new snort scan other machines on the Internet? I don't want any issues
> with other services because they think I'm port scanning their network=3D=
3D=3D
3D=3D3D
3D=3D3D3D
3D=3D3D3D3D
2E
>=3D3D3D3D3D3D3D3D3D3D20
> Thanks
>=3D3D3D3D3D3D3D3D3D3D20
> Joe
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
> -------------------------------------------------------
> This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3=
D3D3=3D
D3D3=3D3D
D3D3=3D3D3D
D3D2=3D3D3D3D
0
> of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3=
D3D3=3D
D3D2=3D3D
0
> Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D20
> http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3=
D3D3D2=3D
Epl?su=3D3D
nm0003=3D3D3D
en
> _______________________________________________
> Snort-users mailing list
> Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> Go to this URL to change user options or unsubscribe:
> https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snor=
t-us=3D
ers
> Snort-users list archive:
> http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Eph=
p3?lis=3D
t=3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
3D3D3Dsn=3D3D3D3D
ort-users
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
> -------------------------------------------------------
> This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3=
D3D3=3D
D3D3=3D3D
D3D3=3D3D3D
D3D2=3D3D3D3D
0
> of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3=
D3D3=3D
D3D2=3D3D
0
> Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D20
> http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3=
D3D3D2=3D
Epl?su=3D3D
nm0003=3D3D3D
en
> _______________________________________________
> Snort-users mailing list
> Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> Go to this URL to change user options or unsubscribe:
> https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snor=
t-us=3D
ers
> Snort-users list archive:
> http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Eph=
p3?lis=3D
t=3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
3D3D3Dsn=3D3D3D3D
ort-users



--           __--__--          =3D3D3D3D3D3D3D3D3D20

Message: 3
Date: Thu, 24 Oct 2002 11:58:01 -0700
From: Gary Verhulp <garyv at ...7300...=3D3D3D3D3D2Enokia=3D3D3D3D3D2Ecom>
Reply-To: gary=3D3D3D3D3D2Everhulp at ...7301...=3D3D3D3D3D2Ecom
To: Joe Giles <jgiles at ...7288...=3D3D3D3D3D2Ecom>, snort-users at ...7287...=3D3D3D3D3=
D2Es=3D
ourc=3D3D
efor=3D3D3D
ge=3D3D3D3D
=3D3D3D3D3D2Enet
Subject: Re: [Snort-users] Portscan 2 question

on most unix that I'm familiar with,it's "last" not "lasts"
what OS are you on?
what's the ports used in the scan?
can you post a section of the alert?

Gary



Joe Giles wrote:
> Well, I'm not RUNNING a DNS server, but I use one=3D3D3D3D3D2E My ISP's =
=3D
=3D3D
=3D3D3D3D
DNS=3D3D3D3D3D2E=3D3D3D3D3D2E=3D3D3D3D3D2E
> Should I add that to the list?=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
> Also, I don't seem to have the 'lasts' command=3D3D3D3D3D2E What package =
=3D
is =3D3D
=3D3D3D
that
> part of?
>=3D3D3D3D3D3D3D3D3D3D20
> Thanks for the reply
>=3D3D3D3D3D3D3D3D3D3D20
> Joe
>=3D3D3D3D3D3D3D3D3D3D20
> On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
>=3D3D3D3D3D3D3D3D3D3D20
>>At 11:22 AM 10/24/02 -0600, you wrote:
>>
>>>I have a weird problem with 2 entries in my ACID database=3D3D3D3D3D2E =
=3D
=3D3D
=3D3D3D3D
Apparently,
>>>my server did a port scan on a remote machine=3D3D3D3D3D2E The problem =
is =3D
=3D3D
=3D3D3D
that =3D3D3D3D
no
>>>one here initiated a port scan=3D3D3D3D3D2E The database lists my =
server =3D
IP =3D3D
=3D3D3D
as =3D3D3D3D
the
>>>source and lists a dest IP=3D3D3D3D3D2E This is listed as a spp_portscan=
2=3D
=3D3D3D=3D3D
3D3D=3D3D3D
2E =3D3D3D3D
Does the
>>>new snort scan other machines on the Internet? I don't want any issues
>>>with other services because they think I'm port scanning their =
=3D3D3D3D
network=3D3D3D3D3D2E
>>>
>>>Thanks
>>>
>>>Joe
>>
>>Are you, by chance, running DNS?
>>
>>You should add your DNS servers to the list of portscan2-ignorehosts,=3D3=
D3=3D
D3=3D3D
D3=3D3D3D
D3=3D3D3D3D
D3D3=3D3D3D3D3D3D
D3=3D3D3D3D3D3D3D
D3=3D3D3D3D3D3D3D3D
D2=3D3D3D3D3D3D3D3D3D
0
>>otherwise you will get this sort of activity=3D3D3D3D3D2E
>>
>>If you are not running DNS, then check the "lasts" command to see who =
=3D
=3D3D
=3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
has=3D3D3D3D3D3D3D3D3D3D20
>>been on your system=3D3D3D3D3D2E (Or who has been appearing as someone =
on =3D
=3D3D
your =3D3D3D
=3D3D3D3D
=3D3D3D3D3D3D3D
=3D3D3D3D3D3D3D3D3D3D
system=3D3D3D3D3D2E)
>>
>>-Robby
>>
>>Robert Desmond
>>Systems Administrator
>>UCSB Extended Learning Services
>>805-893-4906
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20
> -------------------------------------------------------
> This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future=3D3D3=
D3D3=3D
D3D3=3D3D
D3D3=3D3D3D
D3D2=3D3D3D3D
0
> of Java(TM) technology=3D3D3D3D3D2E Join the Java Community=3D3D3D3D3D3D3=
D3D3=3D
D3D2=3D3D
0
> Process(SM) (JCP(SM)) program now=3D3D3D3D3D2E=3D3D3D3D3D3D3D3D3D3D20
> http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3=
D3D3D2=3D
Epl?su=3D3D
nm0003=3D3D3D
en
> _______________________________________________
> Snort-users mailing list
> Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
> Go to this URL to change user options or unsubscribe:
> https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snor=
t-us=3D
ers
> Snort-users list archive:
> http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Eph=
p3?lis=3D
t=3D3D3D3D=3D3D
3D3D3D3D=3D3D3D
3D3D3Dsn=3D3D3D3D
ort-users
>=3D3D3D3D3D3D3D3D3D3D20
>=3D3D3D3D3D3D3D3D3D3D20





--           __--__--          =3D3D3D3D3D3D3D3D3D20

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s


End of Snort-users Digest




--          __--__--         =3D3D3D3D3D3D3D3D20

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s


End of Snort-users Digest




--         __--__--        =3D3D3D3D3D3D3D20

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s


End of Snort-users Digest




--        __--__--       =3D3D3D3D3D3D20

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s


End of Snort-users Digest




--       __--__--       _______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s


End of Snort-users Digest




--      __--__--     =3D3D3D3D20

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s


End of Snort-users Digest



-------------------------------------------------------
This sf=3D3D3D3D3D2Enet email is sponsored by: Influence the future of =
=3D3D3D
Java(TM)=3D3D3D3D3D2=3D3D3D3D
0=3D3D3D3D3D
technology=3D3D3D3D3D2E Join the Java Community Process(SM) (JCP(SM)) =3D
program =3D3D
=3D3D3D
=3D3D3D3D
now=3D3D3D3D3D2E=3D3D3D3D3D20=3D3D3D3D3D
http://ads=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/cgi-bin/redirect=3D3D3D3=
D3D2Ep=3D
l?sunm=3D3D
0003en=3D3D3D

_______________________________________________
Snort-users mailing list
Snort-users at ...7287...=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet
Go to this URL to change user options or unsubscribe:
https://lists=3D3D3D3D3D2Esourceforge=3D3D3D3D3D2Enet/lists/listinfo/snort-=
user=3D
s
Snort-users list archive:
http://www=3D3D3D3D3D2Egeocrawler=3D3D3D3D3D2Ecom/redir-sf=3D3D3D3D3D2Ephp3=
?listn=3D
snort-=3D3D
users





--     __--__--    =3D3D3D20

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




--    __--__--   =3D3D20

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




--   __--__--  =3D20

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




--  __--__-- =20

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




-- __--__-- 

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest





More information about the Snort-users mailing list