Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Port scans detected behind Firewall?

from [Matt Kettler] Network Security [Permanent Link]
Subject: Re: [Snort-users] Port scans detected behind Firewall?
Date: Mon, 13 Jun 2005 17:18:40 -0400 
James Bruce wrote:


Hello,
      I'm not sure this is the right place to ask this but I have a
another newb question. I don't fully understand how this is happening.
We have a Cisco pix 515 firewall, with all incoming ports closed and
some outbound ports open (80,25 etc..) We also have snort and squid
installed on a W2K server with a single interface behind the firewall.
All network users use the squid proxy for internet access. Snort is
picking up port scans from outside ip addresses. My question is how are
these sites port scanning my proxy server? I know some of these port
scans are from audio streaming sites looking for a hole but shouldn't
the firewall stop these port scans from reaching the proxy?? I'm sure
I'm missing something simple here. Please post your thoughts. Thank you
James

Here is the snort log: 192.168.0.6 is our proxy. Snort's threshold value
for # or ports is set to 20.


Unfortunately in my experience portscan2 has a big problem distinguishing
between a port scan and a client opening a website with a lot of images when you
start dropping packets. Use kill -USR1 to force snort to log it's stats and
check your packet drop rate. If you want to use portscan2 without lots FPs, that
number has to be very close to 0%.

If it misses the outgoing syn's portscan2 often sees all the syn-acks coming
back from the webserver as a syn-ack scan, instead of responses to legitimate
requests.

That explains the TCP scans being sourced from port 80. You can verify it
yourself, pick any website with a lot of images on it and you should trigger a
"scan" as soon as you open it.

The same basic effect happens with DNS lookups, but they show up as being UDP
packets sourced from port 53.


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Port scans detected behind Firewall?, James Bruce
Next by Date:  [Snort-users] BASE 1.1.3 release, Kevin Johnson
Previous by Thread:  [Snort-users] Port scans detected behind Firewall?, James Bruce
Next by Thread:  [Snort-users] BASE 1.1.3 release, Kevin Johnson
Indexes:  [Date] [Thread] [Top] [All Lists]