Ok, for all who are not lazy, let's comment the 1st entry a wee bit:
[**] [117:1:1] (spp_portscan2) Portscan detected from 64.179.4.147: 1 targets 21 ports in 1 seconds [**]
10/26/02-20:56:35.324967 64.179.4.147:80 -> x.x.38.237:2590
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x7CE1B8D3 Ack: 0x866312C3 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
[**] [117:1:1] (snort preprocessor portscan2) Portscan detected from
images.linuxquestions.org: 1 targets 21 ports in 1 seconds [**]
mm/dd/yy-time.fraction
images.linuxquestions.org:http(1) to snort:(unpriv port, no IANA svc)
TCP Time To Live: 47
(4) Type Of Service:(none) ID:0 IP Header Length:20
(2) bytes Datagram Length:(IP Header Length + TCP Length)
(2) Do not fragment
Flags: SYN+ACK Sequence number: x Acknowledge number: y TCP Window size: 5840
(4) TCP Length
(2): 28 bytes
TCP Options
(3) (4) => Maximum Segment Size (above val DF will be set): 1460, No Operation (pad options up to 4K), No Operation (pad options up to 4K), Selective Acknowledgements accepted
1. The src:sport shows this could(!) be http from jeremy's new image server if it is legitimate traffic. How do we find out? If you have the tcpdump you can manually scrub the contents, if you use Ethereal/tcpflow you would see the "conversation" between src and dst. If Snort *doesn't * alert this doesn't mean there's only legitimate traffic, as with for instance Chkrootkit, Snort can only know what it's signatures can scrub packets for. Anyway, the sport:http correlates with having an unprivileged dport when we *assume* there's no backdoor at dst, the SYN+ACK flags show this to be part of an established connection. Also looking up the dport doesn't give any IANA registered svc for that port (IIRC).
Jeremy's image server would be suspect if it fires SYN's at you :-]
2. This IP packet contains 20 bytes of IP stuff (headers like addresses, options, yada yada yada), and 28 bytes of TCP payload (headers, options TCP payload). If you dissect it using
this for instance or an (online copy of) O'Reilly's Bookshelf, like
Appendix F. Selected TCP/IP Headers, then the packet's headers check out find (do simple math).
3. See 2.
4. If we do what p0f, nmap or Queso automate for us, let's see who we're talking to. If assert you're 17 hops away from src, the inital TTL could be 64. At a Window size of 5840, you'd be looking at a Linux host talking to you.
(I get to say "ergo" again, ain't life grand...)
Ergo, This wasn't a malicious packet. :-]