|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Port-scans from visited web-sites?
From: Erich Meier (Erich.Meier
INFORMATIK.UNI-ERLANGEN.DE)Date: Sat Jun 10 2000 - 09:12:11 CDT
- Next message: Max Gribov: "scan log"
- Previous message: Lance Spitzner: "Account probing for spam relay."
- In reply to: Greg A. Woods: "Re: Port-scans from visited web-sites?"
- Reply: Erich Meier: "Re: Port-scans from visited web-sites?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Jun 08, 2000 at 03:58:24PM -0400, Greg A. Woods wrote:
> [ On Wednesday, June 7, 2000 at 14:19:28 (+0100), Peter Bates wrote: ]
> > Subject: Port-scans from visited web-sites?
> >
> > Jun 7 13:27:01 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTED from 206.251.0.173
> > Jun 7 13:27:14 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Jun 7 13:27:19 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173
> > Jun 7 13:30:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTED from 206.251.0.173
> > Jun 7 13:30:58 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Jun 7 13:31:04 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173
> > Jun 7 13:32:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTED from 206.251.0.173
> > Jun 7 13:32:59 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> > Jun 7 13:33:06 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173
> >
> > using snort, obviously, and generated from
> > our machine that acts as our site 'web-cache/proxy'...
> > this was followed by about 3/4 other similar 'scans'
> > acknowledged by snort...
>
> Snort is on drugs, I think. It's promulgating paranoia.
>
> First off it's obviously not likely a scan. It might be a probe for
> something, but unless your network neighbours are being probed similarly
> it's not a "scan" of any kind.
The is snort's portscan preprocessor that alerts on the reception of every
single "stealth packet" (packet that could belong to a stealth scan). Therefore
snort functions properly without any drug usage (except for a few snort
developers drinking a pint of peer or two :-).
What is causing these packets is "packet noise", i.e. header corruption. I
see these kind of packets mostly during gnutella sessions of my users. I
guess, that most of the gnutella users sit behind lousy dialin connections
that cause the noise.
> Where the heck is the destination port number of this supposed
> connection? How does snort *know* it's a "STEALTH" connection?
All that info is logged to the portscan.log file. You can see the TCP flags
that caused the alarm there, too.
Erich
-- Erich Meier Erich.Meier
- Next message: Max Gribov: "scan log"
- Previous message: Lance Spitzner: "Account probing for spam relay."
- In reply to: Greg A. Woods: "Re: Port-scans from visited web-sites?"
- Reply: Erich Meier: "Re: Port-scans from visited web-sites?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]