Snort log stuff
Over the last few days, I've seen the following type of entry in my
snort report:
The distribution of event methods
===============================================
% # of method
===============================================
5.81 5 (portscan) TCP Portsweep
3 192.168.10.249 -> 207.68.170.126
1 192.168.10.117 -> 66.224.5.66
1 192.168.10.164 -> 65.254.60.101
(the data below is today's data - i wont receive an email report for
today until tomorrow morning some time, thus it doesnt match the exerpt
above. However, it's the same type of thing.)
/var/log/snort/alert:
[**] [122:3:0] (portscan) TCP Portsweep [**]
04/18-08:51:17.742063 192.168.10.239 -> 63.112.169.3
PROTO255 TTL:0 TOS:0x0 ID:44549 IpLen:20 DgmLen:164 DF
/var/log/snort/tcpdump.log.*:
Frame 14 (178 bytes on wire, 178 bytes captured)
Arrival Time: Apr 18, 2005 08:51:17.742063000
Time delta from previous packet: 48.236185000 seconds
Time since reference or first frame: 6818.347488000 seconds
Frame Number: 14
Packet Length: 178 bytes
Capture Length: 178 bytes
Protocols in frame: eth:ip:data
Ethernet II, Src: 4d:41:43:44:41:44, Dst: 4d:41:43:44:41:44
Destination: 4d:41:43:44:41:44 (4d:41:43:44:41:44)
Source: 4d:41:43:44:41:44 (4d:41:43:44:41:44)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.10.239 (192.168.10.239), Dst Addr:
63.112.169.3 (63.112.169.3)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 164
Identification: 0xae05 (44549)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 0
Protocol: Unknown (0xff)
Header checksum: 0x174b (correct)
Source: 192.168.10.239 (192.168.10.239)
Destination: 63.112.169.3 (63.112.169.3)
Data (144 bytes)
0000 50 72 69 6f 72 69 74 79 20 43 6f 75 6e 74 3a 20 Priority Count:
0010 35 0a 43 6f 6e 6e 65 63 74 69 6f 6e 20 43 6f 75 5.Connection Cou
0020 6e 74 3a 20 31 37 0a 49 50 20 43 6f 75 6e 74 3a nt: 17.IP Count:
0030 20 33 33 0a 53 63 61 6e 6e 65 64 20 49 50 20 52 33.Scanned IP R
0040 61 6e 67 65 3a 20 36 33 2e 31 31 32 2e 31 36 39 ange: 63.112.169
0050 2e 33 3a 31 39 32 2e 31 36 38 2e 31 30 2e 32 33 .3:192.168.10.23
0060 39 0a 50 6f 72 74 2f 50 72 6f 74 6f 20 43 6f 75 9.Port/Proto Cou
0070 6e 74 3a 20 35 0a 50 6f 72 74 2f 50 72 6f 74 6f nt: 5.Port/Proto
0080 20 52 61 6e 67 65 3a 20 38 30 3a 31 32 30 36 0a Range: 80:1206.
Does this look familiar to anyone? I would think that the fact that this
type of data (portscan results?) is being sent over the network rather
than stored/displayed locally would indicate that some remote host is
scanning by proxy. The local host in this case is a windows XP SP2
machine. These packets are coming to and from various hosts & norton AV
isnt finding any trojans or anything on them (though that may not mean
much).
Any ideas?
-davidc
--
The fly that does not want to be swatted is safest if it sits on the
fly-swat. -G.C. Lichtenberg
Reply to: