Snort mailing list archives

Re: Interpreting logs

From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Fri, 20 Jul 2001 08:29:28 +0200

On Thu, Jul 19, 2001 at 09:25:05AM -0700, Migus, Adam wrote:

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 24.249.235.55 (THRESHOLD
4 connections exceeded in 3 seconds) [**]
07/19-03:01:48.093228


The rate was exceeded.

[**] spp_anomsensor: Anomaly threshold exceeded: 6.0893 [**]
07/19-05:25:37.765846 24.249.235.55:4778 -> 64.94.89.146:80
TCP TTL:127 TOS:0x0 ID:56422 IpLen:20 DgmLen:48 DF
******S* Seq: 0xBE1604FD  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

This entry is also taken from my /var/log/snort/alert.  It is complaining
about an ordinary connection to the http port of a random site I visited.
Why?


Because it's anomalous.

Jul 19 05:22:37 24.249.235.55:1310 -> 24.3.0.36:53 UDP
Jul 19 05:23:27 24.249.235.55:41757 -> 198.165.106.2:110 SYN ******S*

This entry is taken from /var/log/snort/portscan.log.  These as well are
ordinary client connections to an external DNS and POP server I use.  How do
I interpret this?


Somebody used your nameserver,
Somebody made a synscan for a POP3 server.

-- 
ralf.hildebrandt () innominate com                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Interpreting logs Migus, Adam (Jul 19)
- Re: Interpreting logs Ralf Hildebrandt (Jul 19)
- <Possible follow-ups>
- RE: Interpreting logs Migus, Adam (Jul 20)