[Snort-users] Portsweep and ICMP Sweep Alerts

Omar Osta o.osta1978 at ...11827...
Fri Mar 27 08:54:10 EDT 2015


Hi,

I have been testing and tuning Snort before putting it into production. Two
days ago I put my workstation on the switch for testing and fine tuning.
Yesterday morning I noticed TCP Portsweep event logs coming from my
workstation to the internet. I downloaded the payload and opened it into
notepad and it looks like Open Port: 80 or Open Port: 443.  There is no
pcap to download. I ran wireshark to see if it could detect it, but it
could not.

My sfportscan preprocessor is setup like this: preprocessor sfportscan:
proto  { all } memcap { 10000000 } sense_level { low } scan_type { all  }
logfile { /etc/snort/portscan.log }

Yesterday I have detected 413 port Sweeps and one ICMP sweep. Most sweeps
were to external ip addresses and but some were inside my network. That is
when I really got concerned.

This morning I had another ICMP sweep from my computer to a server on a
different subnet that I had opened a webpage to. The really weird thing
about this is the payload said the scanned range was on the subnet my
workstation was on. Not the destination IP address of the ICMP sweep alert.

Payload is this:

Priority Count:
5Connection Count: 13
IP Count: 13
Scanned IP Range: (sanitized)
Port/Proto Count: 0
Port/Proto Range: 0:0

 Is my computer compromised or is there a chance these are false positives?
I can't find any software on my computer that isn't supposed to be there.
Yes I have nmap, but I wasn't doing those scans. My anti virus and maleware
bytes says my computer is clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150327/087cc500/attachment.html>


More information about the Snort-users mailing list