LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-21-2006, 10:42 PM   #1
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 62
Snort detecting "TCP Portsweep" from local machine to internet


Hi,
I have a small server running Debian Sarge, with all the latest security updates applied.

I have snort running, which emails me a report every morning.

I keep getting messages like this:
Code:
Events from same host to same destination using same method
=========================================================================
 # of  from             to               method
=========================================================================
    3  65.54.188.57     192.168.1.1      WEB-MISC robots.txt access
    2  192.168.1.1      xxx.xxx.xxx.xxx    (portscan) TCP Portsweep
    2  192.168.1.1      xxx.xxx.xxx.xxx   (portscan) TCP Portsweep
(The "to" addresses I blocked out are miscellaneous machines on the internet, that are nothing to do with me)

What I would like to know is:
* What is a TCP portsweep - I guess it is some kind of port scan?
* Why is my machine portsweeping those other machines?
* Is this anything to worry about - have I been hacked?

Thanks is advance
--Ian
 
Old 10-22-2006, 05:26 AM   #2
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Pop!_OS && Windows 10 && Arch Linux
Posts: 831

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
I had that same problem with my snort. Every time when I opened Firefox and it loaded my homepage + RSS I got many false alarms becouse snort was confusing sudden increase in traffic with port scans (I was using Smoothwall at the time) , I got many alerts like:

"filtered udp portscan <- dns traffic"
"tcp portsweep <- tcp traffic to the webservers"

I fixed that with putting my local ip's to the ignore list ignore_scanners <ip_list> in snort.conf
sense_level from high to medium

http://www.snort.org/docs/snort_htma...00000000000000
http://www.securityfocus.com/archive...0/210/threaded

There is ofc possibility that it is real alert but when I was looking for solution for my alerts common advice from snort users was fine tuning snort.conf.

Last edited by //////; 10-22-2006 at 05:30 AM.
 
Old 10-22-2006, 06:46 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
* Is this anything to worry about - have I been hacked?
Answering that requires you to 1) check what application the traffic originated from (Snort log details, tcpdumping traffic, firewall egress logging) and 2) if there's local signs of a compromise. I agree that on busy hosts a port sweep more likely than not results in false positives but it would be good to check anyway. Practice, y'know...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I run a port scan to a "target" machine from the internet? NuxIT Linux - Networking 9 05-18-2006 07:20 AM
difference between "Web server local URL" and "IPv4 address"? kpachopoulos Linux - General 2 09-17-2004 02:30 PM
Stop showing my "machine name" on internet (like in Shields UP!) hendrixx Linux - Security 8 01-18-2004 10:07 AM
"document contains no data" error when i try to connect to SWAT on local machine squeaky-steve Linux - Networking 2 12-03-2003 09:12 AM
dont understand "local host name " for mandrake 9.2 internet connection oarumple Linux - Newbie 4 11-23-2003 09:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration