[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Strange SNORT log...



Hi all.

I write to you because i noticed a strange activity on my minion server.
I run Snort on the server and everyday i receive a log of some stats
from the Snort system. The problem is that snort sees a port scan from
my server to other 4 servers on the net everyday.
I studied the log of snort and i noticed that the victims of the port
scan are 4 mixminion servers!

I paste to you part of the last log...

Events from same host to same destination using same method
=========================================================================
 # of  from             to               method
=========================================================================
  179  192.168.0.2      192.168.0.25     DNS SPOOF query response with
TTL of 1 min. and no authority
    8  192.168.0.25     24.128.50.77     (portscan) TCP Portsweep
    8  62.94.16.209     192.168.0.25     ICMP Source Quench
    3  192.168.0.25     218.103.207.95   (portscan) TCP Portsweep
    3  192.168.0.25     65.254.37.163    (portscan) TCP Portsweep
    3  192.168.0.25     72.49.47.140     (portscan) TCP Portsweep

As you can see i receive a DNS Spoof from the router (probably because
of dyndns.org services and so maybe a snort false positive) and then a
portscan follows. The very strange thing is that only 4 servers are port
scanned. 
So, is this a normal action of the minion server?
Is it possible that the snort log is a false positive due to the
connection between nodes? And, if yes, is this a possible danger for the
anonimity (the snort log is saved!!)?

Thanks,
Stefano alias ZeNo - Italy

Attachment: signature.asc
Description: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata