PDA

Click to See Complete Forum and Search --> : Snort detects portscans, the source is MY ip

xjussix
05-19-2003, 04:01 AM
Here's an example from my portscan2.log:


05/19-07:34:50.722373 TCP src: 80.223.xxx.xxx dst: 66.118.xxx.xxx sport: 1137 dport: 80 tgts: 6 ports: 6 flags: ******S* event_id: 0
05/19-07:34:51.296949 TCP src: 80.223.xxx.xxx dst: 62.94.xxx.xxx sport: 1139 dport: 80 tgts: 7 ports: 7 flags: ******S* event_id: 6
05/19-07:37:58.365919 TCP src: 80.223.xxx.xxx dst: 169.207.xxx.xxx sport: 1107 dport: 80 tgts: 8 ports: 8 flags: ***A***F event_id: 6

There are lots of these in that log. The thing that makes me wonder is what is my computer doing? 80.223.xxx.xxx is MY router's IP (snort is installed in that box). Something weird happening or just something completely normal?

I've "censored" the IP's just in case. =)
bwkaz
05-19-2003, 07:23 PM
And what makes you think these are portscans?

Originally posted by xjussix
05/19-07:34:50.722373 TCP src: 80.223.xxx.xxx dst: 66.118.xxx.xxx sport: 1137 dport: 80 tgts: 6 ports: 6 flags: ******S* event_id: 0
05/19-07:34:51.296949 TCP src: 80.223.xxx.xxx dst: 62.94.xxx.xxx sport: 1139 dport: 80 tgts: 7 ports: 7 flags: ******S* event_id: 6 These are just two SYN packets sent from your router to this IP address, going to port 80. What this is, is you requesting a couple of web pages!

Notice how the source IP is your router, and the destination is somewhere else? That means that if it is a portscan, it's you doing the scanning, not them. But I highly doubt that that's what's going on; I rather think it's just an HTTP connection being made.

05/19-07:37:58.365919 TCP src: 80.223.xxx.xxx dst: 169.207.xxx.xxx sport: 1107 dport: 80 tgts: 8 ports: 8 flags: ***A***F event_id: 6 I don't know what the A and F flags are, but this is going from your router to the other IP address on port 80 -- it's something else to do with HTTP.
xjussix
05-20-2003, 03:00 AM
Yeah I know the traffic is going from MY computer to some other computer in the net. What troubles me is why the heck does Snort log it. I mean, if it's "normal" web browsing, why would snort log it in "portscan2.log". Don't know if they are portscans but that's what the logfile's name implies. And nope, I sure haven't been doing any portscans.
bwkaz
05-20-2003, 06:52 PM
I have no idea. Maybe the Snort authors know?