Snort mailing list archives
Re: Snort portscan false positives?
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 9 Oct 2002 13:00:36 -0700 (PDT)
On 9 Oct 2002, Felipe Alfaro Solana wrote:
I'm net to Snort and IDS... I'm curious to know what's passing through my ADSL router, so I installed SNORT on an old spare computer. I own a 3Com OfficeConnect 812 ADSL router... it's discontinued but works pretty fine. It's an ADSL router and a 4-port hub, so I hooked up my old computer to one of the ports of the router so I could analyze all the traffic coming in/going out from/to the Internet.
[...snip...]
So, based on the previous information, it seems that my web browser is connecting to an Internet host to download content (JPG, GIF, etc) very very fast, using new connections and thus, with sequentially increasing source ports. It seems that SNORT is taking this connections as a portscan attempt, but I think this is my web browser opening and closing HTTP connections against the web site very very fast. Also, since Internet source port is always 80, this leads me to think it's simply a lot of HTTP traffic coming and going between my Web browser and the Web site.
When you fire up a socket to talk, it (usually) gets a 'random' port number. Some OS'es will increment by one, others randomize a bit more. So what you're seeing is 'normal' in the way it works. And as to how NAT works, keep in mind that your router does the NAT (well actually PAT). And your snort box and your workstation are 'behind' the router so the packets have already been 'un-NATed' when you read them. If you were in "front" of the NAT box, you would see what you were expecting. The reason that portscan2 is flagging that as a scan is there are 'more than x connections to y targets.' Since ps2 has no idea of what your HOME_NET is, it sees the connections and flags them, even though they are coming from you. Just define portscan2-ignorehosts with your IP and all should be well. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort portscan false positives? Felipe Alfaro Solana (Oct 09)
- Re: Snort portscan false positives? Erek Adams (Oct 09)
- Re: Snort portscan false positives? Felipe Alfaro Solana (Oct 09)
- Re: Snort portscan false positives? Erek Adams (Oct 09)
- Re: Snort portscan false positives? Bob Van Cleef (Oct 10)
- Re: Snort portscan false positives? Felipe Alfaro Solana (Oct 09)
- Re: Snort portscan false positives? Erek Adams (Oct 09)
- <Possible follow-ups>
- RE: Snort portscan false positives? Beckett, Josh (Oct 09)