[Bro] inbound PortScans that aren't really...

Randolph Reitz rreitz at fnal.gov
Mon Oct 1 14:13:18 PDT 2007


On Sep 27, 2007, at   11:49, Robin Sommer wrote:

>
> On Wed, Sep 26, 2007 at 16:37 -0500, Randolph Reitz wrote:
>
>> few others, on the Fermilab traffic.  I see a lot of inbound scans
>> that appear to be bogus.  For example...
>
> Can you send me a trace of one of these scans? (Just TCP control
> packets is fine if there's content you can't pass on).
>
> Robin
>
> --  
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

We have a free copy of splunk indexing the /usr/local/bro/logs/*  
files.  Using splunk provides an easy way to retrieve data from all  
of the BRO files - conn, notice, info, etc.  Tim Rupp did this.  He's  
available for hire!

I saw an outbound scan report today and used this splunk command ...

. /opt/splunk/bin/setSplunkEnv; splunk search "FER.MI.LAB.IP endtime:: 
10/01/2007:14:37:19 searchtimespanminutes::10 maxresults::1000" | cf  
 > ~/h/bro_scan_question.txt

I've attached the file.  I know, you don't need all 1000 lines, but hey?

At the top of the file is some stuff you won't recognize ...

Oct  1  
14:37:19:AddressDropped:NOTICE_ALARM_ALWAYS::FER.MI.LAB.IP:::::::::dropp 
ing address 131.225.107.90 (131.
225.107.90 has scanned 250 ports of 195.56.77.182):
Oct  1 14:37:19 ? 195.56.77.182 FER.MI.LAB.IP https 1218 443 tcp ? ?  
S0 X cc=1
Oct  1 14:37:19 ? 195.56.77.182 FER.MI.LAB.IP https 64944 443 tcp ? ?  
S0 X cc=1
Oct  1 14:37:19 0.000000 195.56.77.182 FER.MI.LAB.IP https 64937 443  
tcp ? 0 SHR X
Dec 31  
18:00:07                                                                 
                <- I don't know where this came from
   Create_events(dev): IP='FER.MI.LAB.IP' with 1  
issues                                        <- This is my code that  
creates
   Create_events(dev): issues['FER.MI.LAB.IP'] is <type  
'list'>                                <- and event in our TIssue  
tracking
     save_issue:oid=132843792 ->  
issue_id=1751                                                 <- system
Oct  1 14:37:19 AddressDropped dropping address FER.MI.LAB.IP  
(FER.MI.LAB.IP has scanned 250 ports of 195.56.7
7.182)                                                                   
                       <- message from scan.bro
Oct  1 14:37:19 PortScan FER.MI.LAB.IP has scanned 250 ports of  
195.56.77.182
Oct  1 14:37:18 1.007632 195.56.77.182 FER.MI.LAB.IP https 1209 443  
tcp ? ? RSTO X @20572     <- here you see that the
Oct  1 14:37:18 ? 195.56.77.182 FER.MI.LAB.IP https 64938 443 tcp ? ?  
OTH X cc=1              <- web server running on FER.MI.LAB.IP
Oct  1 14:37:18 ? 195.56.77.182 FER.MI.LAB.IP https 64936 443 tcp ? ?  
OTH X cc=1              <- the web browser (or whatever) is
Oct  1 14:37:17 ? 195.56.77.182 FER.MI.LAB.IP https 64927 443 tcp ? ?  
S1 X                    <- makeing requests with a different
Oct  1 14:37:17 ? 195.56.77.182 FER.MI.LAB.IP https 64932 443 tcp ? ?  
OTH X cc=1              <- source port.  So scan.bro's counter
Oct  1 14:37:17 ? 195.56.77.182 FER.MI.LAB.IP https 64926 443 tcp ? ?  
S0 X cc=1               <- increases with each connection and
Oct  1 14:37:17 ? 195.56.77.182 FER.MI.LAB.IP https 64925 443 tcp ? ?  
OTH X cc=1              <- reports a port scan???

Here is the file...

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bro_scan_question.txt
Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20071001/9dd767de/attachment.txt 
-------------- next part --------------

Thanks,
Randy




More information about the Bro mailing list