Re: Confessions of a reluctant port scanner
It doesn't look like anything to worry about they are
false positives leaving your network. Your network is
a private network 192.168.1.x and the false attacks
are you hitting a dns probably your dns and your
network hitting a website. 192.168.1 is a private
network range that means they are unroutable on the
public internet unless statically routed. I would say
they are false positives. When running nmap run it on
your eth0 interface as opposed to your loopback this
can give different results. check your home_net and
dns server entries in snort.conf.
There is a script in cron.weekly that starts lpd once
a week.
--- Patrick Albuquerque <patrickq@mts.net> wrote:
> Hello,
>
> Anyone have an idea why I'm a portscanner?
> I'm running unstable, dsl thru a router.
>
> Some sample snort output:
>
> [**] [117:1:1] (spp_portscan2) Portscan detected
> from 192.168.1.1: 6
> targets 6 ports in 19 seconds
> [**]
> 07/13-15:11:32.418841 192.168.1.1:32769 ->
> 198.32.64.12:53
> UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:71 DF
> Len: 43
>
> [**] [117:1:1] (spp_portscan2) Portscan detected
> from 192.168.1.1: 6
> targets 6 ports in 52 seconds
> [**]
> 07/13-15:25:53.462024 192.168.1.1:34869 ->
> 66.35.250.150:80
> TCP TTL:64 TOS:0x0 ID:45297 IpLen:20 DgmLen:60 DF
> ******S* Seq: 0x51642A4F Ack: 0x0 Win: 0x16D0
> TcpLen: 40
> TCP Options (5) => MSS: 1460 SackOK TS: 1350334 0
> NOP WS: 0
>
> whois says these particular targets are
> OrgName: Exchange Point Blocks
> OrgName: Cable & Wireless
> and I have no connection to them AFAICT.
>
> nmap localhost says:
> Starting nmap 3.27 ( www.insecure.org/nmap/ ) at
> 2003-07-13 20:25 CDT
> Interesting ports on loopback (127.0.0.1):
> (The 1618 ports scanned but not shown below are in
> state: closed)
> Port State Service
> 22/tcp open ssh
> 25/tcp open smtp
> 53/tcp open domain
> 111/tcp open sunrpc
> 953/tcp open rndc
>
> Also, every now and then, I notice lpd running. I
> don't have a printer,
> and lpd is not in /etc/rc2.d
>
> Sorry, but I'm pretty ignorant regarding
> network/security issues.
>
> Is it time to panic yet?
>
> Thanks for any advice.
>
> Patrick.
>
>
> --
> To UNSUBSCRIBE, email to
> debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
Reply to: