Results 1 to 5 of 5

Thread: Snort Portscan Question

  1. July 11th, 2003, 03:25 AM #1
    KinoEye
    KinoEye is offline
    Junior Member
    Join Date
    Jul 2003
    Posts
    16

    Snort IDS Question

    When I review my snort logs I see lots of entried like this:

    [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from XX.XX.XXX.XXX (THRESHOLD 4 connections exceeded in 2 seconds) [**]
    07/10-19:06:09.285781

    [**] [100:2:1] spp_portscan: portscan status from XX.XX.XXX.XXX: 2 connections across 2 hosts: TCP(2), UDP(0) [**]
    07/10-19:20:43.704297

    Now the problem is these scans are originating from my own IP & they seem to coincide with broswer requests, I can see them being logged as I'm surfing.

    So my question is:

    Is my system compromised?

    If not is there a rule to stop this from being logged without leaving myself open to scans?
    (I've looked high & low via google & snort.org)

    My system: Mac G4, OS X 10.2.6, Snort 2.0, software firewall (IPFW) all on a glorious 56k dialup.

    Any help would be appreciated.
    When in danger or in doubt run in circles scream and shout.
    Reply With Quote Reply With Quote
  2. July 11th, 2003, 04:18 AM #2
    3r2
    3r2 is offline
    Junior Member
    Join Date
    Jul 2003
    Posts
    5
    spp == Snort Preprocessor Plugin
    portscan == Snort Portscan Plugin

    This alert was not generated by a rule, therefore no packets were captured
    to log. The alert was generated by a seperate program that comes with
    snort.

    In snort.conf look for a line like:
    preprocessor portscan: $HOME_NET 10 3 portscan.log

    Which says alert on any external system hitting systems in $HOME_NET at a
    rate greater than or equal to 10 systems in 3 seconds (these two numbers may
    be different in your config).

    Here is the thread:
    http://www.geocrawler.com/mail/threa...scan&list=4890
    Let me know if this is close.
    Reply With Quote Reply With Quote
  3. July 11th, 2003, 09:05 AM #3
    SirDice
    SirDice is offline
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    On that same snort.conf line you'll find the filename of a portscan.log. Take alook at it. It shows which host(s) are connecting to which port(s). See if you can post it here and somebody should be able to tell you what's going on. It maybe just regular Internet traffic.
    Oliver's Law:
    Experience is something you don't get until just after you need it.
    Reply With Quote Reply With Quote
  4. July 11th, 2003, 10:06 AM #4
    slarty
    slarty is offline
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    You've configured snort incorrectly.

    Your own IPs are supposed to be in $HOME_NET or something similar (I can't quite remember). This will prevent them from being flagged as the source of attacks.

    I hope none of your users is using any P2P software, or snort becomes instantly almost useless (P2P is *WAY* too promiscuous).

    P2P is the enemy of IDS.
    Reply With Quote Reply With Quote
  5. July 12th, 2003, 02:58 AM #5
    KinoEye
    KinoEye is offline
    Junior Member
    Join Date
    Jul 2003
    Posts
    16
    Allright I changed the threshold in my conf file. That seems to have stopped it without affecting detection of real portscans, or at least the one I've run from pcflank.com as well as my own Nmap scans. Hopefully there will be no reoccurence <grits teeth>
    When in danger or in doubt run in circles scream and shout.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules