[Cooker-firewall] Re: How Do I Read Packet Log? (plus snort Q)

Tue, 14 Aug 2001 01:00:55 -0700 

Ok, here are some clues to your logs (I hope)
 
PROTO=17 203.109.202.82:61333 144.137.117.45:4371  
 
this is a UDP message from 203.109.202.82 going out on port 61333 going to
144.137.117.45 to port 4371, I have no idea on what traffic this relates to.
 
 ... 
PROTO=17 24.192.1.30:53 144.137.117.45:61213 
 This is a probably a response from a DNS query. You can identify it by the
outgoing port number 53. 
 ... 
PROTO=6 144.137.68.155:3890 144.137.117.45:80  
PROTO=6 144.132.51.120:2653 144.137.117.45:80 
PROTO=6 144.132.51.120:2653 144.137.117.45:80 
PROTO=6 144.137.142.49:2698 144.137.117.45:80 
PROTO=6 144.137.142.49:2698 144.137.117.45:80 
PROTO=6 144.137.142.49:2698 144.137.117.45:80 

These are all TCP connects to port 80 == http-request, I also seem to get
loads of them the last days on my home machine and from heaps of different
sources.
 
On a related topic, does anybody have any tips on why snort feels that my
http requests on outgoing traffic should trigger the portscan ? This is a
small exerpt from my log and all http and DNS querys finds there way into
the portscan :-(
 
Aug 13 17:24:21 213.89.103.160:61440 -> 212.105.121.69:80 SYN ******S* 
Aug 13 17:24:22 213.89.103.160:61443 -> 212.105.121.19:80 SYN ******S* 
Aug 13 17:24:22 213.89.103.160:61453 -> 204.253.104.45:80 SYN ******S* 
Aug 13 17:24:22 213.89.103.160:61456 -> 208.184.29.190:80 SYN ******S* 
Aug 13 17:24:23 213.89.103.160:61461 -> 194.237.107.43:80 SYN ******S* 
Aug 13 17:25:21 213.89.103.160:61462 -> 193.150.195.24:53 UDP 
Aug 13 17:25:21 213.89.103.160:61464 -> 216.40.34.70:80 SYN ******S* 
Aug 13 17:25:22 213.89.103.160:61469 -> 216.40.34.45:80 SYN ******S* 
Aug 13 17:25:22 213.89.103.160:61471 -> 216.40.34.100:80 SYN ******S* 
Aug 13 17:25:23 213.89.103.160:61473 -> 216.40.32.30:80 SYN ******S* 
Aug 13 17:25:24 213.89.103.160:61475 -> 193.150.195.24:53 UDP 
Aug 13 17:25:24 213.89.103.160:61474 -> 216.40.32.140:80 SYN ******S* 
Aug 13 17:25:25 213.89.103.160:61477 -> 24.64.63.47:80 SYN ******S* 
Aug 13 17:25:26 213.89.103.160:61483 -> 216.40.34.45:80 SYN ******S* 
Aug 13 17:25:28 213.89.103.160:61484 -> 216.40.32.140:80 SYN ******S* 

 
/Anders

Reply via email to