Help!! Snort detected portscan, is it coming from me?

Help!! Snort detected portscan, is it coming from me?

Post by B. Joshua Rose » Wed, 10 Apr 2002 03:22:01



I put Snort on my system last night and it's starting to detect things,
I need help understanding the output, does the following mean that my
system is issueing a port scan or does it mean that someone is scanning
me? (the xx.xxx.xxx.65 is my IP address)

04/08-12:57:38.253334  [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from xx.xxx.xxx.65 (THRESHOLD 4 connections exceeded in 4 seconds) [**]
04/08-12:57:44.885436  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 6 connections across 6 hosts: TCP(6), UDP(0) [**]
04/08-12:57:57.883683  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-12:58:15.442163  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
04/08-12:58:55.724257  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-12:59:15.447610  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
04/08-12:59:19.172129  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:00:15.440175  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
04/08-13:00:35.742465  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:01:15.447612  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:02:15.454337  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:03:15.461526  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:04:15.895894  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:05:15.489891  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:06:15.484172  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:06:24.481672  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:06:36.481191  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:07:00.480261  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:07:15.497180  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:08:15.499105  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:09:15.520534  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:10:15.529660  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
04/08-13:11:16.444651  [**] [100:2:1] spp_portscan: portscan status from xx.xxx.xxx.65: 1 connections across 1 hosts: TC

 
 
 

Help!! Snort detected portscan, is it coming from me?

Post by drumsti » Wed, 10 Apr 2002 04:36:22



> I put Snort on my system last night and it's starting to detect things,
> I need help understanding the output, does the following mean that my
> system is issueing a port scan or does it mean that someone is scanning
> me? (the xx.xxx.xxx.65 is my IP address)

65.200.172.65 is your IP address.

Quote:> 04/08-12:57:38.253334  [**] [100:1:1] spp_portscan: PORTSCAN DETECTED
> from xx.xxx.xxx.65 (THRESHOLD 4 connections exceeded in 4 seconds) [**]

FROM 65.200.172.65.  This means that the portscan is coming from
65.200.172.65.  Since that's you, it means that the "portscan" was issued
from your computer.

Actually, all it means is that 4 connections were detected in 4 seconds.
If you were nmapping, among other things, that could be it.

--
drumstik

www.ameriphreak.com
http://phreaks.freeshell.org/files/valuhack.exe

 
 
 

Help!! Snort detected portscan, is it coming from me?

Post by Tim Hayne » Wed, 10 Apr 2002 07:45:15



Quote:> I put Snort on my system last night and it's starting to detect things,
> I need help understanding the output, does the following mean that my
> system is issueing a port scan or does it mean that someone is scanning
> me? (the xx.xxx.xxx.65 is my IP address)

> 04/08-12:57:38.253334  [**] [100:1:1] spp_portscan: PORTSCAN DETECTED
> from xx.xxx.xxx.65 (THRESHOLD 4 connections exceeded in 4 seconds) [**]
> 04/08-12:57:44.885436  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 6 connections across 6 hosts: TCP(6), UDP(0) [**]
> 04/08-12:57:57.883683  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]

[snip]

It's looking rather interesting. Again, time you started tcpdump-ing
yourself or looking at the packets logged in snort if possible to see what
these packets were really all about. If they're all different (especially,
consecutive) IP#s on the same destination port, then you're being a Norty
Scanner...

Yes, running snort is Fun until you get used to the pattern of traffic
involved ;)

~Tim
--

West winds blow.                            |http://spodzone.org.uk/

 
 
 

Help!! Snort detected portscan, is it coming from me?

Post by David Bianc » Wed, 10 Apr 2002 21:05:22



Quote:> I put Snort on my system last night and it's starting to detect things,
> I need help understanding the output, does the following mean that my
> system is issueing a port scan or does it mean that someone is scanning
> me? (the xx.xxx.xxx.65 is my IP address)

One common problem with new snort installations is that DNS queries often
trigger false portscans, since they tend to send a lot of UDP packets.
This is especially true when there is some other activity, like web
browsing, going on that's hitting a lot of different domains.  

The snort.conf file has a definition for a variable called $DNS_SERVERS
which is usually used to exclude these DNS false positives.  Try setting
that variable's value to your name servers and see if that helps you at
all.  You could also just try setting it's value to $HOME_NET, which should
exclude scans coming from anything on your LAN (assuming you're able to
determine that they really are false positives of some sort).

        David

--

Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
            not those of SURA/Jefferson Lab or the US DOE.

 
 
 

Help!! Snort detected portscan, is it coming from me?

Post by Alan W. Fra » Thu, 11 Apr 2002 05:45:43


[]

Quote:> Yes, running snort is Fun until you get used to the pattern of traffic
> involved ;)

You're not kidding.

Today, I have mostly been trying to get a box to remotely syslog over a
VPN tunnel, when the box in question *is* the far end of the IPSEC
gateway - whilst snorting to ensure that *no* private IP or unencrypted
traffic passes over the link...

As an aside, rather than open up another Freeswan connection from
$DISTANTGATEWAY to $LOCALSUBNET, ('cos my default route is *to*
$LOCAL_PUBLIC_IP 'thru $DISTANT_PUBLIC_NIC - anyting else wasn't happy)
I'm using iptables to SNAT traffic -s $DISTANT_PUBLIC_IP, -d
$LOCALSUBNET .. --to-source $DISTANT_PRIVATE_IP and it seems to work -
Is this a viable alternative to the iproute or multi-connection
solutions that STFW'ing suggested?

rgds, Alan

--
99 Ducati 748BP, 95 Ducati 600SS, 81 Guzzi Monza, 74 MV Agusta 350
"Ride to Work, Work to Ride" SI# 7.067 DoD#1930 PGP Key 0xBDED56C5

 
 
 

Help!! Snort detected portscan, is it coming from me?

Post by Jeremy Da » Thu, 25 Apr 2002 20:58:03



> I put Snort on my system last night and it's starting to detect things,
> I need help understanding the output, does the following mean that my
> system is issueing a port scan or does it mean that someone is scanning
> me? (the xx.xxx.xxx.65 is my IP address)

> 04/08-12:57:38.253334  [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from
> xx.xxx.xxx.65 (THRESHOLD 4 connections exceeded in 4 seconds) [**]
> 04/08-12:57:44.885436  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 6 connections across 6 hosts: TCP(6), UDP(0) [**]
> 04/08-12:57:57.883683  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-12:58:15.442163  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
> 04/08-12:58:55.724257  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-12:59:15.447610  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
> 04/08-12:59:19.172129  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:00:15.440175  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
> 04/08-13:00:35.742465  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:01:15.447612  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:02:15.454337  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:03:15.461526  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:04:15.895894  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:05:15.489891  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:06:15.484172  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:06:24.481672  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:06:36.481191  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:07:00.480261  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:07:15.497180  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:08:15.499105  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:09:15.520534  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:10:15.529660  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
> 04/08-13:11:16.444651  [**] [100:2:1] spp_portscan: portscan status from
> xx.xxx.xxx.65: 1 connections across 1 hosts: TC

65.200.172.65   <--- This IP?
 
 
 

1. snort portscan log

Need some help for understanding the snort portscan log:
The signatures exists of TCP flags.
I understand the URG (Urgent), the ACK (Acknowledge), the RST (Reset),
the SYN (Synchronize) and FIN (Finish) flag but from
the others I have no idea what they might mean.

TCP flag bits - (******** - 12UAPRSF) -
Reserved/ECN|Reserved/ECN|URG|ACK|PSH|RST|SYN|FIN

So if someone can explain the meaning of the flags and why some
particular combination of flags are used by scanners I would be
pleased.

Please advise.

Kind regards,
Xantos N.

2. 7336 tape drive - status offline

3. Detect/Alert portscan HELP!!!!

4. RH7.2 - Connection refused on port 25/SMTP

5. Need program to detect outgoing portscans from my network

6. Quake3 + XFree86-4.0.3 + Voodoo3 = Death Slow

7. detect portscanning !

8. Texinfo vs. TeX vs. DocBook

9. Detecting portscans in ipflog.

10. localhost portscan detects 2 randomly opened and closed ports - other hosts cannot see these open

11. Portscan detected from 192.168.100.100

12. Where am I coming from

13. Please Help....it′s a very small thing!!!!.PLEASE