Interpreting Snort SID 1 result
Alohá!
Not sure whether this belongs here but no one answered over at
debian-firewall - I've had strange results in my snort logs that I can't
really interpret, the sid 1 doesn't look like a "normal" snort result to
me and the owner of the machine (which happens to be a large
institution) says that I shouldn't worry because "usually port scans
from compromised machines cover a wide range of ports" - great. I know I
wouldn't do a shotgun scan if I was hijacking boxes, especially not one
getting me noticed on a machine I've rooted right away. Anyway, here are
the results, maybe it's perfectly normal and as per usual my knowledge
is just to limited ;-)
02/22-17:58:46.493171 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)
[**]
01/14-10:32:58.355694 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)
[**]
01/14-10:33:00.705885 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40)
[**]
12/08-09:09:50.773851 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)
[**]
12/08-09:09:51.525590 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40)
[**]
11/09-11:59:21.788204 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)
[**]
11/12-14:38:08.728267 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 76 sliding: 40)
[**]
04/14-14:54:04.666097 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)
[**]
04/14-14:54:06.749817 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40)
[**]
03/14-10:43:43.528993 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)
[**]
03/14-10:44:24.270468 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 41 sliding: 40)
[**]
05/02-11:17:56.907506 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 14)
[**]
05/02-11:17:59.570345 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 41 sliding: 40)
[**]
05/03-14:50:10.519801 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15)
[**]
05/03-14:50:15.139081 [**] [121:1:1] Portscan detected from <scanning
machine's IP> Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40)
[**]
I tried the snort site for the strange SID and RTFMed a bit but when it
comes to interpreting results there isn't a short answer :-)
best regards
Martin
Reply to: