[Snort-users] portscan2 and conversation
denny at ...10070...
Tue Sep 16 11:28:05 EDT 2003
If any one is interested, this turns out to be a defect in spp_conversation.
If you are seeing hundreds or thousands of SYN/ACK entries in the scan log
09/13-18:38:17.928330 TCP src: X.X.X.X dst: X.X.X.X sport: 80 dport: X
tgts: 1 ports: 150 flags: ***A**S* event_id: 482
This is due to a defect in spp_conversation.c. A patch has been submitted.
----- Original Message -----
From: "Denny Page" <denny at ...10070...>
To: "Snort Users" <snort-users at lists.sourceforge.net>
Sent: Saturday, September 13, 2003 16:02
Subject: [Snort-users] portscan2 and conversation
> Ok, dumb question time.
> I have portscan2 set up to ignore hosts from my local network. This
> to work fine for both TCP and UDP. I.E. no alerts from DNS activity, and
> alerts from nmaps within the network. Nmaps from outside the network
> trigger alerts as you would expect. This is all desirable.
> What is not desirable is that alerts are being triggered by outbound HTTP
> requests. When visiting a site that is comprised of many individual files
> such as graphic navigation bars (www.securityfocus.com is one such) ,
> portscan2 reports that the remote HTTP server is executing a portscan on
> machine running the browser.
> Portscan2 appears to be triggering on the inbound SYN-ACK that the HTTP
> server sends in response to the SYN from the browser. Since the SYN-ACK
> being in response to a connection (conversation) initiated by a portscan2
> ignored host, I would not expect it to trigger an alert. Isn't this what
> conversation is for?
> Am I missing something, or is portscan2 goofy?
> Thanks for any assistance,
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users