Interpreting Snort SID 1 result

To: Debian Security <debian-security@lists.debian.org>
Subject: Interpreting Snort SID 1 result
From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>
Date: Fri, 06 May 2005 13:52:26 +0200
Message-id: <[🔎] 427B5A7A.40801@gmx.net>
Reply-to: ifpadmin@uni-bonn.de

Alohá!

Not sure whether this belongs here but no one answered over atdebian-firewall - I've had strange results in my snort logs that I can'treally interpret, the sid 1 doesn't look like a "normal" snort result tome and the owner of the machine (which happens to be a largeinstitution) says that I shouldn't worry because "usually port scansfrom compromised machines cover a wide range of ports" - great. I know Iwouldn't do a shotgun scan if I was hijacking boxes, especially not onegetting me noticed on a machine I've rooted right away. Anyway, here arethe results, maybe it's perfectly normal and as per usual my knowledgeis just to limited ;-)

02/22-17:58:46.493171 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)[**]01/14-10:32:58.355694 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)[**]01/14-10:33:00.705885 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40)[**]12/08-09:09:50.773851 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)[**]12/08-09:09:51.525590 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40)[**]11/09-11:59:21.788204 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)[**]11/12-14:38:08.728267 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 76 sliding: 40)[**]04/14-14:54:04.666097 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)[**]04/14-14:54:06.749817 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40)[**]03/14-10:43:43.528993 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)[**]03/14-10:44:24.270468 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 41 sliding: 40)[**]05/02-11:17:56.907506 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 14)[**]05/02-11:17:59.570345 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 41 sliding: 40)[**]05/03-14:50:10.519801 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)[**]05/03-14:50:15.139081 [**] [121:1:1] Portscan detected from <scanningmachine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40)[**]

I tried the snort site for the strange SID and RTFMed a bit but when itcomes to interpreting results there isn't a short answer :-)


best regards

Martin

Reply to:

Follow-Ups:
- Re: Interpreting Snort SID 1 result
  - From: Jeremy Hewlett <jh@snort.org>

Prev by Date: Returned mail
Next by Date: Re: Interpreting Snort SID 1 result
Previous by thread: Returned mail
Next by thread: Re: Interpreting Snort SID 1 result
Index(es):
- Date
- Thread