Snort log stuff

To: debian-security@lists.debian.org
Subject: Snort log stuff
From: David Clymer <david@hrcsb.org>
Date: Mon, 18 Apr 2005 15:35:01 -0400
Message-id: <[🔎] 1113852901.11585.26.camel@localhost.localdomain>

Over the last few days, I've seen the following type of entry in my
snort report:

The distribution of event methods
===============================================
  %    # of  method
=============================================== 
 5.81     5  (portscan) TCP Portsweep        
                 3     192.168.10.249  -> 207.68.170.126 
                 1     192.168.10.117  -> 66.224.5.66    
                 1     192.168.10.164  -> 65.254.60.101  

(the data below is today's data - i wont receive an email report for
today until tomorrow morning some time, thus it doesnt match the exerpt
above. However, it's the same type of thing.)

/var/log/snort/alert:

[**] [122:3:0] (portscan) TCP Portsweep [**]
04/18-08:51:17.742063 192.168.10.239 -> 63.112.169.3
PROTO255 TTL:0 TOS:0x0 ID:44549 IpLen:20 DgmLen:164 DF


/var/log/snort/tcpdump.log.*:

Frame 14 (178 bytes on wire, 178 bytes captured)
    Arrival Time: Apr 18, 2005 08:51:17.742063000
    Time delta from previous packet: 48.236185000 seconds
    Time since reference or first frame: 6818.347488000 seconds
    Frame Number: 14
    Packet Length: 178 bytes
    Capture Length: 178 bytes
    Protocols in frame: eth:ip:data
Ethernet II, Src: 4d:41:43:44:41:44, Dst: 4d:41:43:44:41:44
    Destination: 4d:41:43:44:41:44 (4d:41:43:44:41:44)
    Source: 4d:41:43:44:41:44 (4d:41:43:44:41:44)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.10.239 (192.168.10.239), Dst Addr:
63.112.169.3 (63.112.169.3)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 164
    Identification: 0xae05 (44549)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 0
    Protocol: Unknown (0xff)
    Header checksum: 0x174b (correct)
    Source: 192.168.10.239 (192.168.10.239)
    Destination: 63.112.169.3 (63.112.169.3)
Data (144 bytes)

0000  50 72 69 6f 72 69 74 79 20 43 6f 75 6e 74 3a 20   Priority Count:
0010  35 0a 43 6f 6e 6e 65 63 74 69 6f 6e 20 43 6f 75   5.Connection Cou
0020  6e 74 3a 20 31 37 0a 49 50 20 43 6f 75 6e 74 3a   nt: 17.IP Count:
0030  20 33 33 0a 53 63 61 6e 6e 65 64 20 49 50 20 52    33.Scanned IP R
0040  61 6e 67 65 3a 20 36 33 2e 31 31 32 2e 31 36 39   ange: 63.112.169
0050  2e 33 3a 31 39 32 2e 31 36 38 2e 31 30 2e 32 33   .3:192.168.10.23
0060  39 0a 50 6f 72 74 2f 50 72 6f 74 6f 20 43 6f 75   9.Port/Proto Cou
0070  6e 74 3a 20 35 0a 50 6f 72 74 2f 50 72 6f 74 6f   nt: 5.Port/Proto
0080  20 52 61 6e 67 65 3a 20 38 30 3a 31 32 30 36 0a    Range: 80:1206.


Does this look familiar to anyone? I would think that the fact that this
type of data (portscan results?) is being sent over the network rather
than stored/displayed locally would indicate that some remote host is
scanning by proxy. The local host in this case is a windows XP SP2
machine. These packets are coming to and from various hosts & norton AV
isnt finding any trojans or anything on them (though that may not mean
much).

Any ideas?

-davidc

--
The fly that does not want to be swatted is safest if it sits on the
fly-swat. -G.C. Lichtenberg

Reply to:

Prev by Date: Re: slocate 2.6-1.3.3 fails to install
Next by Date: remove
Previous by thread: Re: slocate 2.6-1.3.3 fails to install
Next by thread: Re: [SECURITY] [DSA 713-1] New junkbuster packages fix several vulnerabilities
Index(es):
- Date
- Thread