[Snort-users] Tcp portscans

Jeremy Hewlett jh at ...1935...
Wed Feb 23 13:26:23 EST 2005

On Wed, Feb 23, Lee Clemens wrote:
> I have been noticing a lot of alerts and logged packets with the title "TCP
> Portscan", but when I look at Ethereal (running all the time) I can't seem
> to find any packets similar to the ones logged. The full alert is
> [122:1:0] (portscan) TCP Portscan {PROTO255} ExternalIP ->
> IPofLocalDMZ.Computer

Looking at it for face value, you're right. These packets did not
appear on the network. Proto 255 is reserved, and so we use that to
signify the pseudo portscan packet. This is a crafted packet that
contains all the information about the scan in the payload.

This is done so that we don't have to store every packet that caused
the portscan alert.

> I have also seen a lot of packets logged with Info: Bogus IP length (14,
> less than header length 20), but Ethereal does not see these on the regular
> recording either.

This sounds like the "off by 14 bytes" problem sfPortscan had in RC2.
Are you running an RC of 2.3.0? 

> Another interesting point is that the logged packets always have the same
> Src and Dst MAC addresses (which isn't on my local network) but with a Src
> IP address that I will see traffic from occasionally (legitamate), but not
> with the DMZ.Computer.

Are these addresses 4D:41:43:44:41:44? That's the MAC address used for
the pseudo packet. The source and dest IPs you see in the header of
the pseudo packet are the IP pairs that kicked off the alert.

More information about the Snort-users mailing list