Well heres the answer. I'll try and find out what an event_ID is now. Probably something to do with a snort rule.
Re: [Snort-users] Web servers scanning clients!!!
* Date: Thu, 26 Dec 2002 20:38:45 -0500
* From: Matt Kettler <mkettler@xxxxxxxxxxx>
* To: Jason <security@xxxxxxxxxxx>
* Subject: Re: [Snort-users] Web servers scanning clients!!!
No, this is a port_limit exceeded issue, not a nubmer of targets issue. It doesn't matter how many machines are on my lan, or if the number of them is greater than targets_max. The number of targets in the alert is 1
What spp_portscan is seeing is > port_limit syn-ack TCP packets from port 80 on the webserver to changing local ports on a single client machine in HOME_NET.
If a webpage contains a few hundred small thumbnails of my vacation to the Bahamas (it's cold here right now, I like to think of warm places when it's cold) and you browse to that webpage, your web browser will successively download each image (actually it will download a few at a time in parallel but not all at once.. batches of 4-10 depending on the browser).
This successive loading will generate the following pattern of syns and syn-acks, assuming a windowsish client (It is the syn-acks, which are responses to legitimate traffic, that snort is alerting on.):
my_machine:1024 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(followed by the finishing of the handshake, transfer of data, and tear-down)
(now the next image)
my_machine:1025 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(again, more packets for transfer and tear-down)
(and a third)
my_machine:1026 -> webserver:80 SYN
webserver:80 -> my_machine:1024 SYN ACK
(you get the idea..)
Now if the images are small and numerous in the page, and your internet connection is fast, and your browser doesn't suck, you can very easily have hundreds of connections per second.
I currently have my port_limit set to 60 and it's still going off.
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 60, timeout 20
preprocessor portscan2-ignorehosts: 192.168.50.0/24
And a sample alert, where xx.xx.xx.xx is an outside webserver, and yy.yy.yy.yy is a machine in my lan:
[**] [117:1:1] (spp_portscan2) Portscan detected from 12.130.91.21: 1 targets 61 ports in 1 seconds [**]
12/26-02:00:56.467413 xx.xxx.xx.xx:80 -> yy.yy.yy.yy:3996
TCP TTL:50 TOS:0x0 ID:39515 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xA77BDB46 Ack: 0x7754F65D Win: 0x62B8 TcpLen: 28
TCP Options (4) => NOP NOP SackOK MSS: 1404