Thanks to Unspawn I was able to get my spiffy snort IDS going. Little did I know that I was getting electronically smacked every couple of minutes. For those of you who didn't read the title, I'm talking about port scans. My question to everyone is, what should I do? I know they are just semi-innocent activity, but it really burns me anyways. I would complain to their upstream provider but I'm sure they have better things to worry about. Here's a snippet of the snort alert file.

[**] [117:1:1] (spp_portscan2) Portscan detected from 64.179.4.147: 1 targets 21 ports in 1 seconds [**]
10/26/02-20:56:35.324967 64.179.4.147:80 -> x.x.38.237:2590
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x7CE1B8D3 Ack: 0x866312C3 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from 65.113.118.4: 1 targets 21 ports in 2 seconds [**]
10/26/02-20:57:52.469997 65.113.118.4:80 -> x.x.38.237:2719
TCP TTL:107 TOS:0x0 ID:35536 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x16115F2E Ack: 0x87D859D9 Win: 0xFAF0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from x.x: 1 targets 21 ports in 8 seconds [**]
10/26/02-21:04:49.039439 x.x.38.237:2834 -> 62.27.48.86:27050
UDP TTL:127 TOS:0x0 ID:19987 IpLen:20 DgmLen:37
Len: 17

[**] [117:1:1] (spp_portscan2) Portscan detected from 130.94.4.231: 1 targets 21 ports in 1 seconds [**]
10/26/02-21:41:34.868377 130.94.4.231:80 -> x.x.38.237:3097
TCP TTL:240 TOS:0x0 ID:26473 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0xBCCD74E9 Ack: 0xAF104A0E Win: 0x25BC TcpLen: 24
TCP Options (1) => MSS: 1380

[**] [117:1:1] (spp_portscan2) Portscan detected from 204.253.104.95: 1 targets 21 ports in 38 seconds [**]
10/26/02-21:43:04.820423 204.253.104.95:80 -> x.x.38.237:3173
TCP TTL:114 TOS:0x0 ID:48339 IpLen:20 DgmLen:48
***A**S* Seq: 0xFE828352 Ack: 0xB090A351 Win: 0x4470 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from 64.179.4.147: 1 targets 21 ports in 12 seconds [**]
10/26/02-22:03:38.371724 64.179.4.147:80 -> x.x.38.237:3263
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x78D31D3C Ack: 0xC1A7C095 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from 64.4.22.24: 1 targets 21 ports in 4 seconds [**]
10/26/02-22:16:14.030456 64.4.22.24:80 -> x.x.38.237:1589
TCP TTL:47 TOS:0x0 ID:8595 IpLen:20 DgmLen:48
***A**S* Seq: 0x3224232C Ack: 0x8A527A Win: 0x4470 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from 66.220.21.11: 1 targets 21 ports in 4 seconds [**]
10/26/02-22:27:57.134476 66.220.21.11:80 -> x.x.38.237:1764
TCP TTL:43 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xD58D0EF9 Ack: 0x950D6C Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from 64.179.4.147: 1 targets 21 ports in 14 seconds [**]
10/27/02-09:47:17.709518 64.179.4.147:80 -> x.x.38.237:3431
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xDA9B8D7D Ack: 0x138071A Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from 64.179.4.147: 1 targets 21 ports in 1 seconds [**]
10/27/02-09:48:50.404641 64.179.4.147:80 -> x.x.38.237:3483
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xE15817AC Ack: 0x2A15F34 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from 64.4.22.24: 1 targets 21 ports in 7 seconds [**]
10/27/02-13:28:21.258091 64.4.22.24:80 -> x.x.38.237:2043
TCP TTL:47 TOS:0x0 ID:63761 IpLen:20 DgmLen:48
***A**S* Seq: 0x55F98B31 Ack: 0x3CD89EA Win: 0x4470 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from 64.179.4.147: 1 targets 21 ports in 16 seconds [**]
10/27/02-13:30:28.365092 64.179.4.147:80 -> x.x.38.237:3606
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x308105C4 Ack: 0xB8BE73C3 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (spp_portscan2) Portscan detected from 64.179.4.147: 1 targets 21 ports in 4 seconds [**]
10/27/02-13:35:21.994942 64.179.4.147:80 -> x.x.38.237:3706
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x428C356A Ack: 0xBD05CD68 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK


One of them says I port scanned RIPE (62.27.48.86) across multiple IPs. OK..... The scan.log file is even more horrendous. 13 pages log!


--tarballedtux

You can complain, most of the times though the ISP just doesn't care ... on large company networks though and on a contious port scan from a host you might get the admin to check that down and take the neccessary steps.

Like I recorded a large SSH1 attack from a chinese network against a IP range of a server ...

I know they are just semi-innocent activity, but it really burns me anyways.
How did you establish this as being semi-innocent activity?
Why the SYN+ACK flags?
Why static src ports and dynamic dst ports?
Are any of these entries accompanied by an alert?

If you don't want to dissect the logs and these src IP's show up constantly in the logs add them to the portscan ignore var, or adjust your BPF filter accordingly (not src host x and not src host y etc etc).

I know what you mean. Alot of those src ports are 80. What firewall are they trying to fool. Dst ports 25,110 come on. Your right this was malicious but luckily my firewall is so good that this crap doesn't even get through. On the other hand I'm just too lazy to complain.


--tarballedtux

Ok, for all who are not lazy, let's comment the 1st entry a wee bit:

[**] [117:1:1] (spp_portscan2) Portscan detected from 64.179.4.147: 1 targets 21 ports in 1 seconds [**]
10/26/02-20:56:35.324967 64.179.4.147:80 -> x.x.38.237:2590
TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x7CE1B8D3 Ack: 0x866312C3 Win: 0x16D0 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [117:1:1] (snort preprocessor portscan2) Portscan detected from images.linuxquestions.org: 1 targets 21 ports in 1 seconds [**]
mm/dd/yy-time.fraction images.linuxquestions.org:http(1) to snort:(unpriv port, no IANA svc)
TCP Time To Live: 47(4) Type Of Service:(none) ID:0 IP Header Length:20(2) bytes Datagram Length:(IP Header Length + TCP Length)(2) Do not fragment
Flags: SYN+ACK Sequence number: x Acknowledge number: y TCP Window size: 5840(4) TCP Length(2): 28 bytes
TCP Options(3) (4) => Maximum Segment Size (above val DF will be set): 1460, No Operation (pad options up to 4K), No Operation (pad options up to 4K), Selective Acknowledgements accepted

1. The src:sport shows this could(!) be http from jeremy's new image server if it is legitimate traffic. How do we find out? If you have the tcpdump you can manually scrub the contents, if you use Ethereal/tcpflow you would see the "conversation" between src and dst. If Snort *doesn't * alert this doesn't mean there's only legitimate traffic, as with for instance Chkrootkit, Snort can only know what it's signatures can scrub packets for. Anyway, the sport:http correlates with having an unprivileged dport when we *assume* there's no backdoor at dst, the SYN+ACK flags show this to be part of an established connection. Also looking up the dport doesn't give any IANA registered svc for that port (IIRC).
Jeremy's image server would be suspect if it fires SYN's at you :-]
2. This IP packet contains 20 bytes of IP stuff (headers like addresses, options, yada yada yada), and 28 bytes of TCP payload (headers, options TCP payload). If you dissect it using this for instance or an (online copy of) O'Reilly's Bookshelf, like Appendix F. Selected TCP/IP Headers, then the packet's headers check out find (do simple math).
3. See 2.
4. If we do what p0f, nmap or Queso automate for us, let's see who we're talking to. If assert you're 17 hops away from src, the inital TTL could be 64. At a Window size of 5840, you'd be looking at a Linux host talking to you.

(I get to say "ergo" again, ain't life grand...)
Ergo, This wasn't a malicious packet. :-]