Why would snort logs show portscan/portsweep

slackhack · 09-04-2007, 11:47 AM

from my computer to an external IP? is that a sure sign that i've been compromised and someone is conducting hacking procedures from my box? Or could it just be some application (e.g., torrent client) scanning for a port to connect to?

unSpawn · 09-04-2007, 12:08 PM

Did you verify the integrity of your box?
Did you check what apps are using the network?
What does Snort report *exactly*?
How is Snort configured?

slackhack · 09-04-2007, 05:42 PM

I don't see anything unusual in any of the logs. There doesn't seem to be any strange or excessive traffic. Disk space and resources usage looks normal. Apps using the network are ntp, nfs, ssh, and bittornado, with very light apache and ftp usage.

snort is configured for just the services I use. It's reporting like this

Code:

Events from same host to same destination using same method
=========================================================================
 # of  from             to               method
=========================================================================



    4  192.168.0.123    71.203.231.246   (portscan) TCP Portsweep
    3  192.168.0.123    70.160.58.224    (portscan) TCP Portsweep
    2  192.168.0.123    69.143.45.51     (portscan) TCP Portsweep
    2  66.82.16.34      192.168.0.123    ICMP Destination Unreachable Communication
+Administratively Prohibited
    2  192.168.0.123    76.104.218.201   (portscan) TCP Portsweep

I'm thinking it must just be a false positive from the torrents or maybe ntp?

unSpawn · 09-05-2007, 11:39 AM

No, certainly not NTP. About Bittorrent outbound I don't know, I use a BPF source filter. I do see Snort report scan FP's for Bittorrent but that's only inbound and not those alert ID's. You could run tcpdump for a period and dissect it with Wireshark.