On Wed, Feb 23, Lee Clemens wrote:
I have been noticing a lot of alerts and logged packets with the title "TCP
Portscan", but when I look at Ethereal (running all the time) I can't seem
to find any packets similar to the ones logged. The full alert is
[122:1:0] (portscan) TCP Portscan {PROTO255} ExternalIP ->
IPofLocalDMZ.Computer
Looking at it for face value, you're right. These packets did not
appear on the network. Proto 255 is reserved, and so we use that to
signify the pseudo portscan packet. This is a crafted packet that
contains all the information about the scan in the payload.
This is done so that we don't have to store every packet that caused
the portscan alert.
I have also seen a lot of packets logged with Info: Bogus IP length (14,
less than header length 20), but Ethereal does not see these on the regular
recording either.
This sounds like the "off by 14 bytes" problem sfPortscan had in RC2.
Are you running an RC of 2.3.0?
Another interesting point is that the logged packets always have the same
Src and Dst MAC addresses (which isn't on my local network) but with a Src
IP address that I will see traffic from occasionally (legitamate), but not
with the DMZ.Computer.
Are these addresses 4D:41:43:44:41:44? That's the MAC address used for
the pseudo packet. The source and dest IPs you see in the header of
the pseudo packet are the IP pairs that kicked off the alert.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
