Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Port-scans from visited web-sites?

Re: Port-scans from visited web-sites?

From: Joe McAlerney <joey_at_SILICONDEFENSE.COM>
Date: Thu, 8 Jun 2000 08:44:28 -0700

Snort's portscan preprocessor will register web traffic as portscans if
your threshold is too low. It simply looks for X packets sent to your
network in Y seconds. Try increasing either the packet threshold or the
the time.

-Joe M.

Peter Bates wrote:
>
> Hello all...
>
> I noticed the following today:
>
> Jun 7 13:27:01 www-cache.lshtm.ac.uk snort[632]: spp_portscan:
> PORTSCAN DETECTE
> D from 206.251.0.173
> Jun 7 13:27:14 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status
> from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Jun 7 13:27:19 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan
> from 206.251.0.173
> Jun 7 13:30:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan:
> PORTSCAN DETECTE
> D from 206.251.0.173
> Jun 7 13:30:58 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status
> from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Jun 7 13:31:04 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan
> from 206.251.0.173
> Jun 7 13:32:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan:
> PORTSCAN DETECTE
> D from 206.251.0.173
> Jun 7 13:32:59 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status
> from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Jun 7 13:33:06 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan
> from 206.251.0.173
>
> using snort, obviously, and generated from
> our machine that acts as our site 'web-cache/proxy'...
> this was followed by about 3/4 other similar 'scans'
> acknowledged by snort...
>
> What interested me was the source of the addresses:
>
> LucasArts Entertainment Company (LUCASARTS-DOM)
> (NETBLK-LOCO-NET-LUCASARTS)
> PO Box 10307
> San Rafael, CA 94912
> US
>
> Netname: LOCO-NET-LUCASARTS
> Netblock: 206.251.0.128 - 206.251.0.191
>
> ...
>
> has anyone else seen this kind of activity,
> and can the snort portscan detection be trusted?
>
> Thanks....
>
> --
> ---------------------------------------------------------------->
> Peter Bates, Systems Support Officer, Network Support Team.
> London School of Hygiene & Tropical Medicine.
> Telephone:0207-927 2124 / Fax:0207-436 5389 / Pager: 07625 255362
Received on Jun 08 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos