Hello,
I'm not sure this is the right place to ask this but I have a
another newb question. I don't fully understand how this is happening.
We have a Cisco pix 515 firewall, with all incoming ports closed and
some outbound ports open (80,25 etc..) We also have snort and squid
installed on a W2K server with a single interface behind the firewall.
All network users use the squid proxy for internet access. Snort is
picking up port scans from outside ip addresses. My question is how are
these sites port scanning my proxy server? I know some of these port
scans are from audio streaming sites looking for a hole but shouldn't
the firewall stop these port scans from reaching the proxy?? I'm sure
I'm missing something simple here. Please post your thoughts.
Thank you
James
Here is the snort log: 192.168.0.6 is our proxy. Snort's threshold value
for # or ports is set to 20.
--- Last alerts ---
06/13-15:20:57.618914 [**] [117:1:1] (spp_portscan2) Portscan detected
from 192.168.0.7: 1 targets 21 ports in 12 seconds [**] {UDP}
192.168.0.7:53 -> 192.168.0.6:8398 06/13-15:29:17.827235 [**] [117:1:1]
(spp_portscan2) Portscan detected from 216.236.239.10: 1 targets 21
ports in 2 seconds [**] {TCP} 216.236.239.10:80 -> 192.168.0.6:10250
06/13-15:29:43.021986 [**] [117:1:1] (spp_portscan2) Portscan detected
from 204.227.127.209: 1 targets 21 ports in 1 seconds [**] {TCP}
204.227.127.209:80 -> 192.168.0.6:11423 06/13-15:30:54.461331 [**]
[117:1:1] (spp_portscan2) Portscan detected from 207.230.154.176: 1
targets 21 ports in 1 seconds [**] {TCP} 207.230.154.176:80 ->
192.168.0.6:11958 06/13-15:34:40.466430 [**] [117:1:1] (spp_portscan2)
Portscan detected from 192.168.0.175: 6 targets 8 ports in 45 seconds
[**] {TCP} 192.168.0.175:3903 -> 69.28.176.139:554 06/13-15:34:51.430731
[**] [117:1:1] (spp_portscan2) Portscan detected from 192.168.0.175: 6
targets 6 ports in 10 seconds [**] {TCP} 192.168.0.175:3915 ->
69.28.151.234:1755 06/13-15:41:14.616486 [**] [117:1:1] (spp_portscan2)
Portscan detected from 216.236.239.10: 1 targets 21 ports in 32 seconds
[**] {TCP} 216.236.239.10:80 -> 192.168.0.6:15252 06/13-15:45:14.946210
[**] [117:1:1] (spp_portscan2) Portscan detected from 204.227.127.209: 1
targets 21 ports in 2 seconds [**] {TCP} 204.227.127.209:80 ->
192.168.0.6:16104 06/13-15:47:20.851468 [**] [117:1:1] (spp_portscan2)
Portscan detected from 192.168.0.144: 6 targets 6 ports in 39 seconds
[**] {TCP} 192.168.0.144:4119 -> 64.12.37.89:80 06/13-15:51:26.273253
[**] [117:1:1] (spp_portscan2) Portscan detected from 216.236.239.10: 1
targets 21 ports in 2 seconds [**] {TCP} 216.236.239.10:80 ->
192.168.0.6:17208
-- END OF LOG ---
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
