LinuxSA Mailing list archives

  From: David Creed <dave.and.jen@internode.on.net>
  To  : Daryl Tester <Daryl.Tester@iocane.com.au>
  Date: Wed, 03 Dec 2003 20:55:49 +1030

Re: Unusual entry in Snort log

Sorry for my lack of detail regarding my setup.
I should have known that it makes things easier for people if they have
some decent level of detail to work from.
This is my basic setup.
Yes, I'm NAT'ing :)
ADSL (Internode) from behind a Billion modem/router
Debian (Unstable) getting it's IP via dhcp provided by the router.
I've attached log files that seem relevant
/var/log/snort/alert
/var/log/snort/portscan2.log

the alert log shows quite a bit of activity on ports above 37000

I'm not sure what else might be needed/relevant, so just give me a slap
upside the head and I'll dig up anything to help.

Cheers,
David Creed



On Wed, 2003-12-03 at 20:15, Daryl Tester wrote:
> David Creed wrote:
> 
> > I installed snort a couple of weeks ago and came home today to find this
> > log (attached below) with unusual entries.
> > I don't like the sound of port scans coming FROM my machine, have I been
> > "0wn3d"?
> > Advise and opinions gratefully accepted.
> 
> Unfortunately, snort doesn't appear to have given any details of what ports
> were being scanned, which would be helpful in determining whether snort has
> just tripped on normal outbound connections (e.g. a bunch of connections to
> a variety of web pages, which may show enough of a diverse range of hosts
> for snort to trigger on), or whether there was something more sinister
> happening.  Do you have any more detailed log files to go by?
> 
> Another thing - the source IP address appears private.  Are you NAT'ing?
> Could snort be picking up outbound requests from a PC on your internal
> network? (I get this from my wife's XP machine all the time).
> 

signature.asc
-- 
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject