[Snort-users] portscan2 and conversation

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Mon Sep 15 08:26:12 EDT 2003


I thought so too... but we've experiences the same thing.  I believe the
issue was that a valid connection counts, since if someone was scanning
they may make a valid connection and send data to make it look real.
The likely culprit is the lack of keepalives on the server, causing your
system to open a new connection for every item to download... thus
giving you a new local port and looking like that web server is
portscanning you.  You could do a portscan-ignoreports-from 80... but
then anyone knowing how to set their scanner from source pot 80 would
defeat you...



-----Original Message-----
From: Denny Page [mailto:denny at ...10070...] 
Sent: Saturday, September 13, 2003 6:03 PM
To: Snort Users
Subject: [Snort-users] portscan2 and conversation


Ok, dumb question time.

I have portscan2 set up to ignore hosts from my local network.  This
appears
to work fine for both TCP and UDP.  I.E. no alerts from DNS activity,
and no
alerts from nmaps within the network.  Nmaps from outside the network
trigger alerts as you would expect.  This is all desirable.

What is not desirable is that alerts are being triggered by outbound
HTTP
requests.  When visiting a site that is comprised of many individual
files
such as graphic navigation bars (www.securityfocus.com is one such) ,
portscan2 reports that the remote HTTP server is executing a portscan on
the
machine running the browser.

Portscan2 appears to be triggering on the inbound SYN-ACK that the HTTP
server sends in response to the SYN from the browser.  Since the SYN-ACK
is
being in response to a connection (conversation) initiated by a
portscan2
ignored host, I would not expect it to trigger an alert.  Isn't this
what
conversation is for?

Am I missing something, or is portscan2 goofy?

Thanks for any assistance,

Denny



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list