Very Computer

I put Snort on my system last night and it's starting to detect things,
I need help understanding the output, does the following mean that my
system is issueing a port scan or does it mean that someone is scanning
me? (the xx.xxx.xxx.65 is my IP address)

04/08-12:57:38.253334  [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from xx.xxx.xxx.65 (THRESHOLD 4 connections exceeded in 4 seconds) [**]
04/08-12:57:44.885436  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 6 connections across 6 hosts: TCP(6), UDP(0) [**]
04/08-12:57:57.883683  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-12:58:15.442163  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
04/08-12:58:55.724257  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-12:59:15.447610  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
04/08-12:59:19.172129  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:00:15.440175  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
04/08-13:00:35.742465  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:01:15.447612  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:02:15.454337  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:03:15.461526  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:04:15.895894  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:05:15.489891  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:06:15.484172  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:06:24.481672  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:06:36.481191  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:07:00.480261  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:07:15.497180  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:08:15.499105  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:09:15.520534  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:10:15.529660  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:11:16.444651  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TC

65.200.172.65 is your IP address.

Quote:> 04/08-12:57:38.253334  [**] [100:1:1] spp_portscan: PORTSCAN DETECTED
> from xx.xxx.xxx.65 (THRESHOLD 4 connections exceeded in 4 seconds) [**]

FROM 65.200.172.65.  This means that the portscan is coming from
65.200.172.65.  Since that's you, it means that the "portscan" was issued
from your computer.

Actually, all it means is that 4 connections were detected in 4 seconds.
If you were nmapping, among other things, that could be it.

--
drumstik

www.ameriphreak.com
http://phreaks.freeshell.org/files/valuhack.exe

Quote:> I put Snort on my system last night and it's starting to detect things,
> I need help understanding the output, does the following mean that my
> system is issueing a port scan or does it mean that someone is scanning
> me? (the xx.xxx.xxx.65 is my IP address)

> 04/08-12:57:38.253334  [**] [100:1:1] spp_portscan: PORTSCAN DETECTED
> from xx.xxx.xxx.65 (THRESHOLD 4 connections exceeded in 4 seconds) [**]
> 04/08-12:57:44.885436  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 6 connections across 6 hosts: TCP(6), UDP(0) [**]
> 04/08-12:57:57.883683  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]

[snip]

It's looking rather interesting. Again, time you started tcpdump-ing
yourself or looking at the packets logged in snort if possible to see what
these packets were really all about. If they're all different (especially,
consecutive) IP#s on the same destination port, then you're being a Norty
Scanner...

Yes, running snort is Fun until you get used to the pattern of traffic
involved ;)

~Tim
--

West winds blow.                            |http://spodzone.org.uk/

Quote:> I put Snort on my system last night and it's starting to detect things,
> I need help understanding the output, does the following mean that my
> system is issueing a port scan or does it mean that someone is scanning
> me? (the xx.xxx.xxx.65 is my IP address)

One common problem with new snort installations is that DNS queries often
trigger false portscans, since they tend to send a lot of UDP packets.
This is especially true when there is some other activity, like web
browsing, going on that's hitting a lot of different domains.  

The snort.conf file has a definition for a variable called $DNS_SERVERS
which is usually used to exclude these DNS false positives.  Try setting
that variable's value to your name servers and see if that helps you at
all.  You could also just try setting it's value to $HOME_NET, which should
exclude scans coming from anything on your LAN (assuming you're able to
determine that they really are false positives of some sort).

        David

--

Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
            not those of SURA/Jefferson Lab or the US DOE.

[]

Quote:> Yes, running snort is Fun until you get used to the pattern of traffic
> involved ;)

You're not kidding.

Today, I have mostly been trying to get a box to remotely syslog over a
VPN tunnel, when the box in question *is* the far end of the IPSEC
gateway - whilst snorting to ensure that *no* private IP or unencrypted
traffic passes over the link...

As an aside, rather than open up another Freeswan connection from
$DISTANTGATEWAY to $LOCALSUBNET, ('cos my default route is *to*
$LOCAL_PUBLIC_IP 'thru $DISTANT_PUBLIC_NIC - anyting else wasn't happy)
I'm using iptables to SNAT traffic -s $DISTANT_PUBLIC_IP, -d
$LOCALSUBNET .. --to-source $DISTANT_PRIVATE_IP and it seems to work -
Is this a viable alternative to the iproute or multi-connection
solutions that STFW'ing suggested?

rgds, Alan

--
99 Ducati 748BP, 95 Ducati 600SS, 81 Guzzi Monza, 74 MV Agusta 350
"Ride to Work, Work to Ride" SI# 7.067 DoD#1930 PGP Key 0xBDED56C5

65.200.172.65   <--- This IP?