No, this is a port_limit exceeded issue, not a nubmer of targets issue. It
doesn't matter how many machines are on my lan, or if the number of them is
greater than targets_max. The number of targets in the alert is 1 :)
What spp_portscan is seeing is > port_limit syn-ack TCP packets from port
80 on the webserver to changing local ports on a single client machine in
HOME_NET.
If a webpage contains a few hundred small thumbnails of my vacation to the
Bahamas (it's cold here right now, I like to think of warm places when it's
cold) and you browse to that webpage, your web browser will successively
download each image (actually it will download a few at a time in parallel
but not all at once.. batches of 4-10 depending on the browser).
This successive loading will generate the following pattern of syns and
syn-acks, assuming a windowsish client (It is the syn-acks, which are
responses to legitimate traffic, that snort is alerting on.):
my_machine:1024 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(followed by the finishing of the handshake, transfer of data, and tear-down)
(now the next image)
my_machine:1025 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(again, more packets for transfer and tear-down)
(and a third)
my_machine:1026 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(you get the idea..)
Now if the images are small and numerous in the page, and your internet
connection is fast, and your browser doesn't suck, you can very easily have
hundreds of connections per second.
I currently have my port_limit set to 60 and it's still going off.
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit
5, port_limit 60, timeout 20
preprocessor portscan2-ignorehosts: 192.168.50.0/24
And a sample alert, where xx.xx.xx.xx is an outside webserver, and
yy.yy.yy.yy is a machine in my lan:
[**] [117:1:1] (spp_portscan2) Portscan detected from 12.130.91.21: 1
targets 61 ports in 1 seconds [**]
12/26-02:00:56.467413 xx.xxx.xx.xx:80 -> yy.yy.yy.yy:3996
TCP TTL:50 TOS:0x0 ID:39515 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xA77BDB46 Ack: 0x7754F65D Win: 0x62B8 TcpLen: 28
TCP Options (4) => NOP NOP SackOK MSS: 1404
At 08:17 PM 12/26/2002 -0500, Jason wrote:
Curious,
what is your config like?
specifically,
targets_max
target_limit
port_limit
is it a case where you have more hosts on your net than targets_max is set to?
Jason
Matt Kettler wrote:
Actually, note that those are ack-syn packets from their port 80 to ports
in the "client" range on your system.
You're the one "scanning" them.
In this case your web browser is rapidly opening connections to download
a large number of small images in the page. Each successive connection
gets a different source-port on your side, and the responses look like a
portscan to the portscan2 preprocessor.
I too have this problem with portscan2 since I enabled it. It seems that
some awareness of the outbound syn packets from your home_net should be
present to keep this from false-alerting, but it doesn't seem to be
present in snort 1.9.0. (this could also be a config bug on my part, and
Farzin's too)
Is this a known-bug or is there some way to tell the portscan2
preprocessor how to properly understand large bursts of outbound client
connections from HOME_NET?
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users