[Snort-users] portscan2 and conversation

Denny Page denny at ...10070...
Tue Sep 16 11:28:05 EDT 2003

If any one is interested, this turns out to be a defect in spp_conversation.

If you are seeing hundreds or thousands of SYN/ACK entries in the scan log
like so:

09/13-18:38:17.928330  TCP src: X.X.X.X dst: X.X.X.X sport: 80 dport: X
tgts: 1 ports: 150 flags: ***A**S* event_id: 482

This is due to a defect in spp_conversation.c.  A patch has been submitted.


----- Original Message ----- 
From: "Denny Page" <denny at ...10070...>
To: "Snort Users" <snort-users at lists.sourceforge.net>
Sent: Saturday, September 13, 2003 16:02
Subject: [Snort-users] portscan2 and conversation

> Ok, dumb question time.
> I have portscan2 set up to ignore hosts from my local network.  This
> to work fine for both TCP and UDP.  I.E. no alerts from DNS activity, and
> alerts from nmaps within the network.  Nmaps from outside the network
> trigger alerts as you would expect.  This is all desirable.
> What is not desirable is that alerts are being triggered by outbound HTTP
> requests.  When visiting a site that is comprised of many individual files
> such as graphic navigation bars (www.securityfocus.com is one such) ,
> portscan2 reports that the remote HTTP server is executing a portscan on
> machine running the browser.
> Portscan2 appears to be triggering on the inbound SYN-ACK that the HTTP
> server sends in response to the SYN from the browser.  Since the SYN-ACK
> being in response to a connection (conversation) initiated by a portscan2
> ignored host, I would not expect it to trigger an alert.  Isn't this what
> conversation is for?
> Am I missing something, or is portscan2 goofy?
> Thanks for any assistance,
> Denny
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list