[ On Wednesday, June 7, 2000 at 14:19:28 (+0100), Peter Bates wrote: ]
> Subject: Port-scans from visited web-sites?
>
> Jun 7 13:27:01 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTED from 206.251.0.173
> Jun 7 13:27:14 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Jun 7 13:27:19 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173
> Jun 7 13:30:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTED from 206.251.0.173
> Jun 7 13:30:58 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Jun 7 13:31:04 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173
> Jun 7 13:32:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTED from 206.251.0.173
> Jun 7 13:32:59 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
> Jun 7 13:33:06 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173
>
> using snort, obviously, and generated from
> our machine that acts as our site 'web-cache/proxy'...
> this was followed by about 3/4 other similar 'scans'
> acknowledged by snort...
Snort is on drugs, I think. It's promulgating paranoia.
First off it's obviously not likely a scan. It might be a probe for
something, but unless your network neighbours are being probed similarly
it's not a "scan" of any kind.
Where the heck is the destination port number of this supposed
connection? How does snort *know* it's a "STEALTH" connection?
In fact you might try connecting to my web server (www.weird.com) and
see if it causes your snort'er to log anything -- I suspect it will....
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods_at_acm.org> <robohack!woods>
Planix, Inc. <woods_at_planix.com>; Secrets of the Weird <woods_at_weird.com>
Received on Jun 10 2000
Intro
