Hey why i get this linuxquestions?

03/10-21:33:31.556919 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32943 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
03/10-21:33:31.705361 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32944 tgts: 1 ports: 22 flags: ***A**S* event_id: 3
03/10-21:33:32.439747 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32945 tgts: 1 ports: 23 flags: ***A**S* event_id: 3
03/10-21:33:32.666295 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32946 tgts: 1 ports: 24 flags: ***A**S* event_id: 3
03/10-21:33:33.326450 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32947 tgts: 1 ports: 25 flags: ***A**S* event_id: 3
03/10-21:33:33.504186 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32948 tgts: 1 ports: 26 flags: ***A**S* event_id: 3
03/10-21:33:34.174107 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32949 tgts: 1 ports: 27 flags: ***A**S* event_id: 3
03/10-21:33:34.334263 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32950 tgts: 1 ports: 28 flags: ***A**S* event_id: 3
03/10-21:33:35.062781 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32951 tgts: 1 ports: 29 flags: ***A**S* event_id: 3
03/10-21:33:35.197556 TCP src: 64.179.4.147 dst: 212.126.145.218 sport: 80 dport: 32952 tgts: 1 ports: 30 flags: ***A**S* event_id: 3
[root@zen snort]# nslookup 64.179.4.147
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server: 212.126.144.2
Address: 212.126.144.2#53

147.4.179.64.in-addr.arpa name = images.linuxquestions.org.

What do the event_id's 0 & 3 refer to?

It may just be replies to your requsts for the page images...
There are certainly a lot on each page...

I've no idea! I'm trying to learn this stuff at the moment.
I got a similar thing from the bbc site, which I had been reading the news on. So I think they are probably false positives.

Mind you, I have surfed many other sites without alerts of this kind.

I thought it looked like a scan as all the alerts in the scan.log were in quick succession looking at the timestamp, all from the same source port (80).

perhaps the same source port 80 is the giveaway, but I dont know the significance.

What are event ID's?
Fascinating.

Well heres the answer. I'll try and find out what an event_ID is now. Probably something to do with a snort rule.

Re: [Snort-users] Web servers scanning clients!!!

* Date: Thu, 26 Dec 2002 20:38:45 -0500
* From: Matt Kettler <mkettler@xxxxxxxxxxx>
* To: Jason <security@xxxxxxxxxxx>
* Subject: Re: [Snort-users] Web servers scanning clients!!!

No, this is a port_limit exceeded issue, not a nubmer of targets issue. It doesn't matter how many machines are on my lan, or if the number of them is greater than targets_max. The number of targets in the alert is 1

What spp_portscan is seeing is > port_limit syn-ack TCP packets from port 80 on the webserver to changing local ports on a single client machine in HOME_NET.

If a webpage contains a few hundred small thumbnails of my vacation to the Bahamas (it's cold here right now, I like to think of warm places when it's cold) and you browse to that webpage, your web browser will successively download each image (actually it will download a few at a time in parallel but not all at once.. batches of 4-10 depending on the browser).

This successive loading will generate the following pattern of syns and syn-acks, assuming a windowsish client (It is the syn-acks, which are responses to legitimate traffic, that snort is alerting on.):

my_machine:1024 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(followed by the finishing of the handshake, transfer of data, and tear-down)

(now the next image)
my_machine:1025 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(again, more packets for transfer and tear-down)

(and a third)
my_machine:1026 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(you get the idea..)


Now if the images are small and numerous in the page, and your internet connection is fast, and your browser doesn't suck, you can very easily have hundreds of connections per second.

I currently have my port_limit set to 60 and it's still going off.

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 60, timeout 20
preprocessor portscan2-ignorehosts: 192.168.50.0/24

And a sample alert, where xx.xx.xx.xx is an outside webserver, and yy.yy.yy.yy is a machine in my lan:

[**] [117:1:1] (spp_portscan2) Portscan detected from 12.130.91.21: 1 targets 61 ports in 1 seconds [**]
12/26-02:00:56.467413 xx.xxx.xx.xx:80 -> yy.yy.yy.yy:3996
TCP TTL:50 TOS:0x0 ID:39515 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xA77BDB46 Ack: 0x7754F65D Win: 0x62B8 TcpLen: 28
TCP Options (4) => NOP NOP SackOK MSS: 1404

There are numerous images on each page (ie I can assure you the box is not scanning you). From both the S and A flags being set you can see that this is the second stage of a new connection (Syn -> Syn/Ack -> Ack). The image server does have keep-alives turned on, so depending on your browser/OS you may be able to get all (or atleast many) images to come over one connection.

--jeremy

Yes I realise it is not a scan now. I was tired last night and thought the scanned ports were 21, 22, 23, upto 30. However these are flags

More questions than answers.

Why does snort just pick out the middle part of the tcp/ip handshake?

What does the event_ID field mean?, and, what does the flags 21, 22, 23, 24, 25 - 30 mean?

Sorry for all the questions. But thats what we are here for isnt it.

Why does snort just pick out the middle part of the tcp/ip handshake?
That has to do with the purpose of portscan2 preprocessor, and how the portscan2 preprocessor (spp2) is configured. SYN=synchronize, ACK=acknowledge, so a SYN+ACK packet means "this port is open and I'm acknowledging your request", which is cool to both allowed usage and portscanners. Anyone can fire off a SYN, but that doesn't mean the 2nd stage of the 3-way handshake (SYN+ACK) occurs. I guess since SYN+ACK (aka "half open scanning") is the next stage, that's why Snort registers them as potential portscans. Tweaking alerts can be done configuring the thresholds you configure spp2 with. But if you just want to block "trusted" hosts from lightening up your spp2 logs like the proverbial X-mas tree, you can add them to the spp2 ignorehosts directive, or tack on a BPF filter when starting Snort, or head over the www.silicondefense.com and look at SPADE.
If you're not afraid to muck with BPF filters, it's rather easy to get a count from the portscan file and fire off a BPF filter at a certain threshold. No tools necessary, only minor Bash scripting skills.

What does the event_ID field mean?, and, what does the flags 21, 22, 23, 24, 25 - 30 mean?
No, you're reading the line wrong. It sez "ports 21, 22, 23, 24, 25 - 30", for total amount of ports tripped.

Yes I did read it wrongly, not suprising really having 3.5 hours sleep. (13mth old twins with chickenpox)

I'll go away and do some reading I think.
Thanks unSpawn, your post was very useful. I will look into that.
Thanks for all your help everyone.