Back to Firewall Incidents

Portscan: 03-30-02

The attacker is 12.82.128.93

[toot@sparky /storage/snort]# host 12.82.128.93
93.128.82.12.in-addr.arpa.  domain name pointer  93.seattle-01-02rs.wa.dial-access.att.net.

Notice that his IP address is almost right on top of mine (I'm on 12.82.128.102 at this particular time); this is a little punk on a dialup into AT&T's Seattle WA POP, and I see a lot of his game-playing.

Usually he's probing for SubSeven- or NetBus-compromised hosts; looks like he's got a new toy :-/

He starts off real slow with a netBIOS probe, followed by an snmp probe, followed by some unusual icmp packets, and then bang!

The available data:

Alerts from snort to syslog/LogCheck

Alerts from ipchains to syslog/LogCheck

Odd or uncommon icmp type:code combinations as seen by ipchains

snort packet captures

identd responds very inappropriately :-/

Passive OS identificaton by p0f

The snort portscan preprocessor log

Principal characteristics:

  1. TTL = 127
  2. Win size = 0x2238
  3. TCP options = 4 = MSS NOP NOP SAckOK
  4. IP ID increments by one always
  5. SYN Packet length = 48
  6. TOS = 0x00 = normal service
  7. source port increments by one exclusively
  8. destination port increments from low ports to high ports mostly
  9. Initial contact: udp:137 @ 2; udp:161 @ 1; icmp 8:19; icmp:17:0; icmp 15:0; icmp 8:19
  10. ...and then the portscan itself began

OK...

As reported via syslog/LogCheck:   
Security Violations
=-=-=-=-=-=-=-=-=-=
Mar 30 00:00:27 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP}
 12.82.128.93:2057 -> 12.82.128.102:137
Mar 30 00:00:27 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP}
 12.82.128.93:2057 -> 12.82.128.102:137

The source ports here (205x) suggest a different process from the later portscan (29xx and upward)

Mar 30 00:00:48 greatwall snort: [1:0:0] UDP to 161 snmp {UDP}
 12.82.128.93:2058 -> 12.82.128.102:161


Mar 30 00:01:12 greatwall snort: [1:0:0] ICMP echo request {ICMP}
 12.82.128.93 -> 12.82.128.102

Next, snort reports an icmp timestamp request 13:0, but ipchains, below, reports one 15:0 information request, and one 17:0 address mask request. Hmm... snort seems to be reporting one wrong, and not seeing the other at all. Not only that, but the pings are real weird -- being reported by both snort and ipchains as icmp type:code 8:19...

Mar 30 00:01:12 greatwall snort: [1:0:0] ICMP timestamp request {ICMP}
 12.82.128.93 -> 12.82.128.102

Mar 30 00:01:12 greatwall snort: [1:0:0] ICMP echo request {ICMP}
 12.82.128.93 -> 12.82.128.102


Mar 30 00:09:07 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2956 -> 12.82.128.102:13
Mar 30 00:09:07 greatwall snort: [1:0:0] TCP to 21 ftp {TCP}
 12.82.128.93:2957 -> 12.82.128.102:21
Mar 30 00:09:07 greatwall snort: [1:0:0] TCP to 22 ssh {TCP}
 12.82.128.93:2958 -> 12.82.128.102:22
Mar 30 00:09:07 greatwall snort: [1:0:0] TCP to 23 telnet {TCP}
 12.82.128.93:2959 -> 12.82.128.102:23

Here, snort's portscan preprocessor kicks in...

Mar 30 00:09:07 greatwall snort: spp_portscan: PORTSCAN DETECTED from 12.82.128.93
 (THRESHOLD 4 connections exceeded in 0 seconds)

Mar 30 00:09:07 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2961 -> 12.82.128.102:42
Mar 30 00:09:07 greatwall snort: [1:0:0] TCP to 53 domain {TCP}
 12.82.128.93:2962 -> 12.82.128.102:53
Mar 30 00:09:09 greatwall snort: [1:0:0] TCP to 79 finger {TCP}
 12.82.128.93:2963 -> 12.82.128.102:79
Mar 30 00:09:09 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
 12.82.128.93:2964 -> 12.82.128.102:80
Mar 30 00:09:09 greatwall snort: [1:0:0] TCP to 98 linuxconf {TCP}
 12.82.128.93:2965 -> 12.82.128.102:98
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2966 -> 12.82.128.102:109
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to 110 pop3 {TCP}
 12.82.128.93:2967 -> 12.82.128.102:110
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to 111 sunrpc {TCP}
 12.82.128.93:2968 -> 12.82.128.102:111
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to 113 ident/auth {TCP}
 12.82.128.93:2969 -> 12.82.128.102:113
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2970 -> 12.82.128.102:118
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2971 -> 12.82.128.102:135
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to 139 netBIOS ss {TCP}
 12.82.128.93:2972 -> 12.82.128.102:139
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2973 -> 12.82.128.102:156
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2974 -> 12.82.128.102:179
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2975 -> 12.82.128.102:371
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to 443 https {TCP}
 12.82.128.93:2976 -> 12.82.128.102:443
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to 445 Win2k SMB {TCP}
 12.82.128.93:2977 -> 12.82.128.102:445
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2978 -> 12.82.128.102:512
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2979 -> 12.82.128.102:513
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2980 -> 12.82.128.102:514
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to 515 lpr {TCP}
 12.82.128.93:2981 -> 12.82.128.102:515
Mar 30 00:09:11 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:2982 -> 12.82.128.102:540
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to 1080 socks {TCP}
 12.82.128.93:2983 -> 12.82.128.102:1080
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to 1433 MS MySQL server {TCP}
 12.82.128.93:2984 -> 12.82.128.102:1433
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2985 -> 12.82.128.102:1494
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to 1993 Cisco snmp port {TCP}
 12.82.128.93:2986 -> 12.82.128.102:1993
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2987 -> 12.82.128.102:1999
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2988 -> 12.82.128.102:2049
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to 3128 squid-http {TCP}
 12.82.128.93:2989 -> 12.82.128.102:3128
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2990 -> 12.82.128.102:3389
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2991 -> 12.82.128.102:5631
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to 5632 PCAnywherestat {TCP}
 12.82.128.93:2992 -> 12.82.128.102:5632
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2993 -> 12.82.128.102:6789
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2994 -> 12.82.128.102:6790
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP} 
12.82.128.93:2995 -> 12.82.128.102:9100
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to 8080 webcache {TCP}
 12.82.128.93:2996 -> 12.82.128.102:8080
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2997 -> 12.82.128.102:43188
Mar 30 00:09:12 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2998 -> 12.82.128.102:25867
Mar 30 00:09:13 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:2999 -> 12.82.128.102:5800
Mar 30 00:09:13 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:3000 -> 12.82.128.102:407
Mar 30 00:09:13 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:3001 -> 12.82.128.102:800
Mar 30 00:09:13 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:3006 -> 12.82.128.102:311
Mar 30 00:09:13 greatwall snort: [1:0:0] TCP to range 0-1024 {TCP}
 12.82.128.93:3008 -> 12.82.128.102:548
Mar 30 00:09:13 greatwall snort: [1:0:0] TCP to range 1025-60999 {TCP}
 12.82.128.93:3009 -> 12.82.128.102:4045

Mar 30 00:09:13 greatwall snort: spp_portscan: portscan status from
 12.82.128.93: 48 connections across 1 hosts: TCP(48), UDP(0)

Mar 30 00:09:13 greatwall snort: [1:0:0] TCP to 113 ident/auth {TCP}
 12.82.128.93:3035 -> 12.82.128.102:113

Mar 30 00:09:51 greatwall snort: spp_portscan: portscan status from 12.82.128.93:
 1 connections across 1 hosts: TCP(1), UDP(0)
Mar 30 00:09:55 greatwall snort: spp_portscan: End of portscan from 12.82.128.93:
 TOTAL time(4s) hosts(1) TCP(49) UDP(0)
 

So, here we start over with what ipchains logged:

The first udp probes from 12.82.128.93, and then icmp:

Mar 30 00:00:27 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.128.93:2057 12.82.128.102:137 L=78 S=0x00 I=34763 F=0x0000 T=127 (#27) 
Mar 30 00:00:27 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.128.93:2057 12.82.128.102:137 L=78 S=0x00 I=34764 F=0x0000 T=127 (#27) 


Mar 30 00:00:48 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
 12.82.128.93:2058 12.82.128.102:161 L=68 S=0x00 I=35186 F=0x0000 T=127 (#65)

Some odd/uncommon icmp type:code combinations?

Mar 30 00:01:12 greatwall kernel: Packet log: input DENY ppp0 PROTO=1
 12.82.128.93:8 12.82.128.102:19 L=60 S=0x00 I=35872 F=0x0000 T=127 (#59)

Interesting: icmp 8:19 as a type:code? A possible signature identifying the portscanning tool being used?
icmp 8:0 would be the usual type:code for a ping...

Mar 30 00:01:12 greatwall kernel: Packet log: input DENY ppp0 PROTO=1
 12.82.128.93:17 12.82.128.102:0 L=32 S=0x00 I=35873 F=0x0000 T=127 (#63)

icmp 17:0 is an address mask request, according to W.R. Stevens, TCP/IP Illustrated vol.1, p.71 

Mar 30 00:01:12 greatwall kernel: Packet log: input DENY ppp0 PROTO=1
 12.82.128.93:15 12.82.128.102:0 L=64 S=0x00 I=35875 F=0x0000 T=127 (#63)

icmp 15:0 is an information request (obsolete), according to Stevens

Mar 30 00:01:12 greatwall kernel: Packet log: input DENY ppp0 PROTO=1
 12.82.128.93:8 12.82.128.102:19 L=60 S=0x00 I=35876 F=0x0000 T=127 (#59)

and another icmp 8:19?

So here the portscan starts in earnest at 00:09:07:

Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2956 12.82.128.102:13 L=48 S=0x00 I=47579 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 
 12.82.128.93:2957 12.82.128.102:21 L=48 S=0x00 I=47580 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2958 12.82.128.102:22 L=48 S=0x00 I=47581 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2959 12.82.128.102:23 L=48 S=0x00 I=47582 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2961 12.82.128.102:42 L=48 S=0x00 I=47584 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input REJECT ppp0 PROTO=6
 12.82.128.93:2962 12.82.128.102:53 L=48 S=0x00 I=47585 F=0x4000 T=127 SYN (#50) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2963 12.82.128.102:79 L=48 S=0x00 I=47586 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2964 12.82.128.102:80 L=48 S=0x00 I=47587 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2965 12.82.128.102:98 L=48 S=0x00 I=47588 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2966 12.82.128.102:109 L=48 S=0x00 I=47589 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2967 12.82.128.102:110 L=48 S=0x00 I=47590 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2968 12.82.128.102:111 L=48 S=0x00 I=47591 F=0x4000 T=127 SYN (#64)

OK: if you've been watching his source ports, at first glance there seems to be a gap here in what LogCheck reported as a "Security Violation" versus what the snort portscan preprocessor saw, or what ipchains saw, because I've got tcp:113 ident open and logged by ipchains -- what ipchains DENY's is a "Violation" to LogCheck, while what ipchains ACCEPT's and logs is an "Unusual System Event"

Notice his source port skips one here -- from 2968 to 2970 -- he probed tcp:113 from his source port 2969 but it wasn't picked up as a "Violation" because I ACCEPT tcp:113...

So Psionic's LogCheck puts ipchains DENY's into both what it calls a "Security Violation" and into what it calls an "Unusual System Event", but LogCheck only puts entries for ipchains ACCEPT's into "Unusual System Events".

So, in fact there can be some interesting transactions that are not fully reported as "Violations", even though you may really want to know about them. A good example of the computer doing what it's told, but not necessarily want you might have wanted...

Here is the missing entry at this point in the sequence of portscans, here, from what LogCheck reports as an "Unusual System Event":

Here starts a separate probe to tcp:113 ident from his port 2969

Mar 30 00:09:07 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=6
 12.82.128.93:2969 12.82.128.102:113 L=48 S=0x00 I=47592 F=0x4000 T=127 SYN (#24)
Anyway...
...onward with the portscan: 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2970 12.82.128.102:118 L=48 S=0x00 I=47593 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2971 12.82.128.102:135 L=48 S=0x00 I=47594 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2972 12.82.128.102:139 L=48 S=0x00 I=47595 F=0x4000 T=127 SYN (#29) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2973 12.82.128.102:156 L=48 S=0x00 I=47596 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2974 12.82.128.102:179 L=48 S=0x00 I=47597 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2975 12.82.128.102:371 L=48 S=0x00 I=47598 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2976 12.82.128.102:443 L=48 S=0x00 I=47599 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2977 12.82.128.102:445 L=48 S=0x00 I=47600 F=0x4000 T=127 SYN (#33) 
Mar 30 00:09:07 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2978 12.82.128.102:512 L=48 S=0x00 I=47601 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2979 12.82.128.102:513 L=48 S=0x00 I=47602 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2980 12.82.128.102:514 L=48 S=0x00 I=47603 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2981 12.82.128.102:515 L=48 S=0x00 I=47604 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2982 12.82.128.102:540 L=48 S=0x00 I=47605 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2983 12.82.128.102:1080 L=48 S=0x00 I=47606 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2984 12.82.128.102:1433 L=48 S=0x00 I=47607 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2985 12.82.128.102:1494 L=48 S=0x00 I=47608 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2986 12.82.128.102:1993 L=48 S=0x00 I=47609 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2987 12.82.128.102:1999 L=48 S=0x00 I=47610 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2988 12.82.128.102:2049 L=48 S=0x00 I=47611 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2989 12.82.128.102:3128 L=48 S=0x00 I=47612 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2990 12.82.128.102:3389 L=48 S=0x00 I=47613 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2991 12.82.128.102:5631 L=48 S=0x00 I=47614 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2992 12.82.128.102:5632 L=48 S=0x00 I=47615 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2993 12.82.128.102:6789 L=48 S=0x00 I=47616 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2994 12.82.128.102:6790 L=48 S=0x00 I=47617 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2995 12.82.128.102:9100 L=48 S=0x00 I=47618 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2996 12.82.128.102:8080 L=48 S=0x00 I=47619 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2997 12.82.128.102:43188 L=48 S=0x00 I=47620 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:08 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2998 12.82.128.102:25867 L=48 S=0x00 I=47621 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:2999 12.82.128.102:5800 L=48 S=0x00 I=47622 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3000 12.82.128.102:407 L=48 S=0x00 I=47623 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3001 12.82.128.102:800 L=48 S=0x00 I=47624 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3002 12.82.128.102:799 L=48 S=0x00 I=47625 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3003 12.82.128.102:2000 L=48 S=0x00 I=47626 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3004 12.82.128.102:2001 L=48 S=0x00 I=47627 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3005 12.82.128.102:119 L=48 S=0x00 I=47628 F=0x4000 T=127 SYN (#64)

Here his tcp:113 ident probe continues from his source port 2969, which I'd say was a separate process from the portscan, itself...

...or, maybe the portscanner program detaches a process when it receives an ACK from a given port, and continues with that separate probe... 
Mar 30 00:09:09 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=6
 12.82.128.93:2969 12.82.128.102:113 L=40 S=0x00 I=47629 F=0x4000 T=127 (#24)
Mar 30 00:09:09 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=6
 12.82.128.93:2969 12.82.128.102:113 L=40 S=0x00 I=47630 F=0x4000 T=127 (#24)

and here his portscan continues in sequence, with the next source port 3006...


Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 
 12.82.128.93:3006 12.82.128.102:311 L=48 S=0x00 I=47631 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3007 12.82.128.102:389 L=48 S=0x00 I=47632 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3008 12.82.128.102:548 L=48 S=0x00 I=47633 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3009 12.82.128.102:4045 L=48 S=0x00 I=47634 F=0x4000 T=127 SYN (#64) 



Here's where snort seems to start dropping packets, see below...


Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3010 12.82.128.102:6699 L=48 S=0x00 I=47635 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3011 12.82.128.102:6346 L=48 S=0x00 I=47636 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3012 12.82.128.102:427 L=48 S=0x00 I=47637 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3013 12.82.128.102:4001 L=48 S=0x00 I=47638 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:09 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3014 12.82.128.102:6001 L=48 S=0x00 I=47639 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3015 12.82.128.102:8888 L=48 S=0x00 I=47640 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3016 12.82.128.102:9001 L=48 S=0x00 I=47641 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3017 12.82.128.102:12345 L=48 S=0x00 I=47642 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3018 12.82.128.102:20034 L=48 S=0x00 I=47643 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3019 12.82.128.102:31337 L=48 S=0x00 I=47644 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3020 12.82.128.102:27374 L=48 S=0x00 I=47645 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3021 12.82.128.102:6670 L=48 S=0x00 I=47646 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3022 12.82.128.102:2583 L=48 S=0x00 I=47647 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3023 12.82.128.102:30999 L=48 S=0x00 I=47648 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3024 12.82.128.102:5400 L=48 S=0x00 I=47649 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3025 12.82.128.102:44444 L=48 S=0x00 I=47650 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3026 12.82.128.102:1015 L=48 S=0x00 I=47651 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3027 12.82.128.102:31787 L=48 S=0x00 I=47652 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3028 12.82.128.102:17300 L=48 S=0x00 I=47653 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3029 12.82.128.102:5550 L=48 S=0x00 I=47654 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3030 12.82.128.102:9400 L=48 S=0x00 I=47655 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3031 12.82.128.102:5882 L=48 S=0x00 I=47656 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3032 12.82.128.102:23432 L=48 S=0x00 I=47657 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3033 12.82.128.102:12349 L=48 S=0x00 I=47658 F=0x4000 T=127 SYN (#64) 
Mar 30 00:09:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 12.82.128.93:3034 12.82.128.102:17569 L=48 S=0x00 I=47659 F=0x4000 T=127 SYN (#64) 

The first tcp:113 ident probe completes:


Mar 30 00:09:11 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=6
 12.82.128.93:2969 12.82.128.102:113 L=40 S=0x00 I=47660 F=0x4000 T=127 (#24)



And here the second tcp:113 ident probe starts -- this is the one my firewall responded to :-/


Mar 30 00:09:11 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=6
 12.82.128.93:3035 12.82.128.102:113 L=48 S=0x00 I=47661 F=0x4000 T=127 SYN (#24)
Mar 30 00:09:11 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=6
 12.82.128.93:3035 12.82.128.102:113 L=40 S=0x00 I=47662 F=0x4000 T=127 (#24)
Mar 30 00:09:12 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=6
 12.82.128.93:3035 12.82.128.102:113 L=49 S=0x00 I=47663 F=0x4000 T=127 (#24)
Mar 30 00:09:12 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=6
 12.82.128.93:3035 12.82.128.102:113 L=40 S=0x00 I=47664 F=0x4000 T=127 (#24)
Mar 30 00:09:13 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=6
 12.82.128.93:3035 12.82.128.102:113 L=40 S=0x00 I=47716 F=0x4000 T=127 (#24)



And we're done..




Full snort packet logs:


My responses are strong'ed


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:00:27.390053 12.82.128.93:2057 -> 12.82.128.102:137
UDP TTL:127 TOS:0x0 ID:34763 IpLen:20 DgmLen:78
Len: 58
01 F8 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:00:27.410048 12.82.128.93:2057 -> 12.82.128.102:137
UDP TTL:127 TOS:0x0 ID:34764 IpLen:20 DgmLen:78
Len: 58
01 F8 00 10 00 01 00 00 00 00 00 00 20 43 4B 41  ............ CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21  AAAAAAAAAAAAA..!
00 01                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:00:48.450028 12.82.128.93:2058 -> 12.82.128.102:161
UDP TTL:127 TOS:0x0 ID:35186 IpLen:20 DgmLen:68
Len: 48
30 26 02 01 00 04 06 70 75 62 6C 69 63 A0 19 02  0&.....public...
01 2F 02 01 00 02 01 00 30 0E 30 0C 06 08 2B 06  ./......0.0...+.
01 02 01 01 02 00 05 00                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:01:12.020051 12.82.128.93 -> 12.82.128.102
ICMP TTL:127 TOS:0x0 ID:35872 IpLen:20 DgmLen:60
Type:8  Code:19  ID:2   Seq:1  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:01:12.040094 12.82.128.93 -> 12.82.128.102
ICMP TTL:127 TOS:0x0 ID:35874 IpLen:20 DgmLen:64
Type:13  Code:0  TIMESTAMP REQUEST
A5 2F 03 00 47 F4 52 00 55 55 55 55 55 55 55 55  ./..G.R.UUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55                          UUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:01:12.040939 12.82.128.102 -> 12.82.128.93
ICMP TTL:255 TOS:0x0 ID:35303 IpLen:20 DgmLen:40
Type:14  Code:0  TIMESTAMP REPLY
A5 2F 03 00 47 F4 52 00 01 B8 8D 68 01 B8 8D 68  ./..G.R....h...h

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:01:12.050115 12.82.128.93 -> 12.82.128.102
ICMP TTL:127 TOS:0x0 ID:35875 IpLen:20 DgmLen:64
Type:15  Code:0  INFO REQUEST
A4 07 04 00 FB F4 52 00 55 55 55 55 55 55 55 55  ......R.UUUUUUUU
55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55  UUUUUUUUUUUUUUUU
55 55 55 55 55 55 55 55                          UUUUUUUU

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:01:12.060384 12.82.128.93 -> 12.82.128.102
ICMP TTL:127 TOS:0x0 ID:35876 IpLen:20 DgmLen:60
Type:8  Code:19  ID:2   Seq:1  ECHO
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69  qrstuvwabcdefghi




Here's where the real portscan begins in earnest:


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.520042 12.82.128.93:2956 -> 12.82.128.102:13
TCP TTL:127 TOS:0x0 ID:47579 IpLen:20 DgmLen:48 DF
******S* Seq: 0x518E8A1B  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.540065 12.82.128.93:2957 -> 12.82.128.102:21
TCP TTL:127 TOS:0x0 ID:47580 IpLen:20 DgmLen:48 DF
******S* Seq: 0x518F7842  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.550066 12.82.128.93:2958 -> 12.82.128.102:22
TCP TTL:127 TOS:0x0 ID:47581 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519012E8  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.560062 12.82.128.93:2959 -> 12.82.128.102:23
TCP TTL:127 TOS:0x0 ID:47582 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5190F6F5  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.580067 12.82.128.93:2961 -> 12.82.128.102:42
TCP TTL:127 TOS:0x0 ID:47584 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51927DA7  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.590065 12.82.128.93:2962 -> 12.82.128.102:53
TCP TTL:127 TOS:0x0 ID:47585 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5193531B  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.591135 12.82.128.102 -> 12.82.128.93
ICMP TTL:255 TOS:0xC0 ID:35468 IpLen:20 DgmLen:96
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
12.82.128.93:2962 -> 12.82.128.102:53
TCP TTL:127 TOS:0x0 ID:47585 IpLen:20 DgmLen:48
******S* Seq: 0x5193531B  Ack: 0x0  Win: 0x2238  TcpLen: 28
** END OF DUMP
00 00 00 00 45 00 00 30 B9 E1 40 00 7F 06 28 7F  ....E..0..@...(.
0C 52 80 5D 0C 52 80 66 0B 92 00 35 51 93 53 1B  .R.].R.f...5Q.S.
00 00 00 00 70 02 22 38 97 0A 00 00 02 04 05 B4  ....p."8........
01 01 04 02 9F A7 00 00 68 DC 03 40 00 00 00 00  ........h..@....
00 00 00 00 00 00 00 00                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




(I respond with an ipchains REJECT to tcp:53 packets; see: 030802_tcp_53.html; so this results in an icmp port unreachable going out...)


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.600063 12.82.128.93:2963 -> 12.82.128.102:79
TCP TTL:127 TOS:0x0 ID:47586 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5193FB44  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.610056 12.82.128.93:2964 -> 12.82.128.102:80
TCP TTL:127 TOS:0x0 ID:47587 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5194A220  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.620062 12.82.128.93:2965 -> 12.82.128.102:98
TCP TTL:127 TOS:0x0 ID:47588 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51956E16  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.630057 12.82.128.93:2966 -> 12.82.128.102:109
TCP TTL:127 TOS:0x0 ID:47589 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519646CB  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.640055 12.82.128.93:2967 -> 12.82.128.102:110
TCP TTL:127 TOS:0x0 ID:47590 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519708C6  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.650079 12.82.128.93:2968 -> 12.82.128.102:111
TCP TTL:127 TOS:0x0 ID:47591 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5197E45A  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.660069 12.82.128.93:2969 -> 12.82.128.102:113
TCP TTL:127 TOS:0x0 ID:47592 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5198DC9A  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.661446 12.82.128.102:113 -> 12.82.128.93:2969
TCP TTL:64 TOS:0x0 ID:35492 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xE9978D36  Ack: 0x5198DC9B  Win: 0x77C4  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.670072 12.82.128.93:2970 -> 12.82.128.102:118
TCP TTL:127 TOS:0x0 ID:47593 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51999F60  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.680062 12.82.128.93:2971 -> 12.82.128.102:135
TCP TTL:127 TOS:0x0 ID:47594 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519A7AC2  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.690060 12.82.128.93:2972 -> 12.82.128.102:139
TCP TTL:127 TOS:0x0 ID:47595 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519B2809  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.700131 12.82.128.93:2973 -> 12.82.128.102:156
TCP TTL:127 TOS:0x0 ID:47596 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519BE13A  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.710219 12.82.128.93:2974 -> 12.82.128.102:179
TCP TTL:127 TOS:0x0 ID:47597 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519D1673  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.720073 12.82.128.93:2975 -> 12.82.128.102:371
TCP TTL:127 TOS:0x0 ID:47598 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519DA486  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.730069 12.82.128.93:2976 -> 12.82.128.102:443
TCP TTL:127 TOS:0x0 ID:47599 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519E46CC  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.740072 12.82.128.93:2977 -> 12.82.128.102:445
TCP TTL:127 TOS:0x0 ID:47600 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519EDA93  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.750106 12.82.128.93:2978 -> 12.82.128.102:512
TCP TTL:127 TOS:0x0 ID:47601 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519F738C  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.760058 12.82.128.93:2979 -> 12.82.128.102:513
TCP TTL:127 TOS:0x0 ID:47602 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A00261  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.770064 12.82.128.93:2980 -> 12.82.128.102:514
TCP TTL:127 TOS:0x0 ID:47603 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A0E524  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.780047 12.82.128.93:2981 -> 12.82.128.102:515
TCP TTL:127 TOS:0x0 ID:47604 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A1CB7C  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.790052 12.82.128.93:2982 -> 12.82.128.102:540
TCP TTL:127 TOS:0x0 ID:47605 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A29EB7  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.800066 12.82.128.93:2983 -> 12.82.128.102:1080
TCP TTL:127 TOS:0x0 ID:47606 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A388EC  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.800121 12.82.128.93:2984 -> 12.82.128.102:1433
TCP TTL:127 TOS:0x0 ID:47607 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A47794  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.810074 12.82.128.93:2985 -> 12.82.128.102:1494
TCP TTL:127 TOS:0x0 ID:47608 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A4F7EB  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.820068 12.82.128.93:2986 -> 12.82.128.102:1993
TCP TTL:127 TOS:0x0 ID:47609 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A582B8  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.830068 12.82.128.93:2987 -> 12.82.128.102:1999
TCP TTL:127 TOS:0x0 ID:47610 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A61CF7  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.840063 12.82.128.93:2988 -> 12.82.128.102:2049
TCP TTL:127 TOS:0x0 ID:47611 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A6F6B6  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.850093 12.82.128.93:2989 -> 12.82.128.102:3128
TCP TTL:127 TOS:0x0 ID:47612 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A7EB00  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.860089 12.82.128.93:2990 -> 12.82.128.102:3389
TCP TTL:127 TOS:0x0 ID:47613 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A8E556  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.870052 12.82.128.93:2991 -> 12.82.128.102:5631
TCP TTL:127 TOS:0x0 ID:47614 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51A9A68D  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.880057 12.82.128.93:2992 -> 12.82.128.102:5632
TCP TTL:127 TOS:0x0 ID:47615 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51AA9C8D  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.890050 12.82.128.93:2993 -> 12.82.128.102:6789
TCP TTL:127 TOS:0x0 ID:47616 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51AB9936  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.900045 12.82.128.93:2994 -> 12.82.128.102:6790
TCP TTL:127 TOS:0x0 ID:47617 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51AC2A34  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.910044 12.82.128.93:2995 -> 12.82.128.102:9100
TCP TTL:127 TOS:0x0 ID:47618 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51ACFC09  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.910098 12.82.128.93:2996 -> 12.82.128.102:8080
TCP TTL:127 TOS:0x0 ID:47619 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51ADBB35  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.920075 12.82.128.93:2997 -> 12.82.128.102:43188
TCP TTL:127 TOS:0x0 ID:47620 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51AE817D  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.930081 12.82.128.93:2998 -> 12.82.128.102:25867
TCP TTL:127 TOS:0x0 ID:47621 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51AF3512  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.940070 12.82.128.93:2999 -> 12.82.128.102:5800
TCP TTL:127 TOS:0x0 ID:47622 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51AFFDD4  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.950070 12.82.128.93:3000 -> 12.82.128.102:407
TCP TTL:127 TOS:0x0 ID:47623 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51B0A959  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.960065 12.82.128.93:3001 -> 12.82.128.102:800
TCP TTL:127 TOS:0x0 ID:47624 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51B14B43  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:09.450403 12.82.128.102:113 -> 12.82.128.93:2969
TCP TTL:64 TOS:0x0 ID:35508 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xE9978D37  Ack: 0x5198DC9C  Win: 0x77C4  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:09.454975 12.82.128.102:113 -> 12.82.128.93:2969
TCP TTL:64 TOS:0x0 ID:35509 IpLen:20 DgmLen:40 DF
***A***F Seq: 0xE9978D37  Ack: 0x5198DC9C  Win: 0x7D78  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:09.480060 12.82.128.93:3006 -> 12.82.128.102:311
TCP TTL:127 TOS:0x0 ID:47631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51BC5E04  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:09.700154 12.82.128.93:3008 -> 12.82.128.102:548
TCP TTL:127 TOS:0x0 ID:47633 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51BDEB8E  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:09.700229 12.82.128.93:3009 -> 12.82.128.102:4045
TCP TTL:127 TOS:0x0 ID:47634 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51BEE5D7  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



So here snort seems to break down and start dropping packets, because ipchains has port:3010/IP ID 47635 and onward, and snort doesn't.


ipchains continues with consecutive packets for almost two more seconds, all the way up to source port:3034/IP ID 47659, and then has the final packet of the first tcp:113 probe with a source port:2969/IP ID 47660, and then snort starts logging packets again, with the next packet.


Anyway, what happens next, I don't like at all:
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:11.580096 12.82.128.93:3035 -> 12.82.128.102:113
TCP TTL:127 TOS:0x0 ID:47661 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51DA4819  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:11.580476 12.82.128.102:113 -> 12.82.128.93:3035
TCP TTL:64 TOS:0x0 ID:35640 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0xE9DEA08C  Ack: 0x51DA481A  Win: 0x77C4  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:11.870110 12.82.128.93:3035 -> 12.82.128.102:113
TCP TTL:127 TOS:0x0 ID:47662 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x51DA481A  Ack: 0xE9DEA08D  Win: 0x2238  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:11.880895 12.82.128.102:113 -> 12.82.128.93:3035
TCP TTL:64 TOS:0x0 ID:35696 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xE9DEA08D  Ack: 0x51DA4823  Win: 0x77C4  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:11.880089 12.82.128.93:3035 -> 12.82.128.102:113
TCP TTL:127 TOS:0x0 ID:47663 IpLen:20 DgmLen:49 DF
***AP*** Seq: 0x51DA481A  Ack: 0xE9DEA08D  Win: 0x2238  TcpLen: 20
56 45 52 53 49 4F 4E 0D 0A                       VERSION..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



Dammit dammit dammit...




=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:12.363729 12.82.128.102:113 -> 12.82.128.93:3035
TCP TTL:64 TOS:0x0 ID:35705 IpLen:20 DgmLen:121 DF
***AP*** Seq: 0xE9DEA08D  Ack: 0x51DA4823  Win: 0x7D78  TcpLen: 20
30 20 2C 20 30 20 3A 20 58 2D 56 45 52 53 49 4F  0 , 0 : X-VERSIO
4E 20 3A 20 70 69 64 65 6E 74 64 20 33 2E 30 2E  N : pidentd 3.0.
31 30 20 66 6F 72 20 4C 69 6E 75 78 20 32 2E 32  10 for Linux 2.2
2E 35 2D 32 32 73 6D 70 20 28 46 65 62 20 32 32  .5-22smp (Feb 22
20 32 30 30 30 20 31 36 3A 31 34 3A 32 31 29 0D   2000 16:14:21).
0A                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




I don't like that one bit...

That's quite an eye-opener. I'll have to go back to locking that down with an ipchains DENY. I thought I had /etc/identd.conf pretty well set up, but apparently not..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:12.650127 12.82.128.93:3035 -> 12.82.128.102:113
TCP TTL:127 TOS:0x0 ID:47664 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x51DA4823  Ack: 0xE9DEA0DE  Win: 0x21E7  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:12.650797 12.82.128.102:113 -> 12.82.128.93:3035
TCP TTL:64 TOS:0x0 ID:35801 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xE9DEA0DE  Ack: 0x51DA4824  Win: 0x7D77  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:12.656481 12.82.128.102:113 -> 12.82.128.93:3035
TCP TTL:64 TOS:0x0 ID:35803 IpLen:20 DgmLen:40 DF
***A***F Seq: 0xE9DEA0DE  Ack: 0x51DA4824  Win: 0x7D78  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:13.190077 12.82.128.93:3035 -> 12.82.128.102:113
TCP TTL:127 TOS:0x0 ID:47716 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x51DA4824  Ack: 0xE9DEA0DF  Win: 0x21E7  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

===============================================================================

Snort processed 61 packets.
Breakdown by protocol:                Action Stats:

    TCP: 53         (86.885%)         ALERTS: 0         
    UDP: 3          (4.918%)          LOGGED: 0         
   ICMP: 5          (8.197%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================





Passive OS identifiction by p0f:



<Sat Mar 30 00:09:07 2002> 12.82.128.93 [2 hops]: Windows NT 5.0 (2)
 + 12.82.128.93:2956 -> 12.82.128.102:13 (timestamp: 55242243 @1017475747)

<Sat Mar 30 00:09:07 2002> 12.82.128.93 [2 hops]: Windows NT 5.0 (2)
 + 12.82.128.93:2957 -> 12.82.128.102:21 (timestamp: 55242243 @1017475747)

<Sat Mar 30 00:09:07 2002> 12.82.128.93 [2 hops]: Windows NT 5.0 (2)
 + 12.82.128.93:2958 -> 12.82.128.102:22 (timestamp: 55242243 @1017475747)

<Sat Mar 30 00:09:07 2002> 12.82.128.93 [2 hops]: Windows NT 5.0 (2)
 + 12.82.128.93:2959 -> 12.82.128.102:23 (timestamp: 55242243 @1017475747)

<Sat Mar 30 00:09:07 2002> 12.82.128.93 [2 hops]: Windows NT 5.0 (2)
 + 12.82.128.93:2961 -> 12.82.128.102:42 (timestamp: 55242243 @1017475747)
:
:
<snip>



Let's take a shot at this by hand...


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.520042 12.82.128.93:2956 -> 12.82.128.102:13
TCP TTL:127 TOS:0x0 ID:47579 IpLen:20 DgmLen:48 DF
******S* Seq: 0x518E8A1B  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.540065 12.82.128.93:2957 -> 12.82.128.102:21
TCP TTL:127 TOS:0x0 ID:47580 IpLen:20 DgmLen:48 DF
******S* Seq: 0x518F7842  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.550066 12.82.128.93:2958 -> 12.82.128.102:22
TCP TTL:127 TOS:0x0 ID:47581 IpLen:20 DgmLen:48 DF
******S* Seq: 0x519012E8  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.560062 12.82.128.93:2959 -> 12.82.128.102:23
TCP TTL:127 TOS:0x0 ID:47582 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5190F6F5  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/30-00:09:07.580067 12.82.128.93:2961 -> 12.82.128.102:42
TCP TTL:127 TOS:0x0 ID:47584 IpLen:20 DgmLen:48 DF
******S* Seq: 0x51927DA7  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
:
:
<snip>


TTL = 127 = decrement from 128 = Win 2K, Win NT, Win 98


Win = 0x2238 = dec 8760 = Solaris 7


TCP options = 4 = MSS NOP NOP SAckOK = Win 2K, Win NT, Win 98


IP ID = increments by 1 = Solaris 7, AIX, Win 2K


SYN packet length = 48 = Win 2K, Win NT, Win 98






/var/log/snort/portscan.log from the snort portscan preprocessor:


<snip>
# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings. 
preprocessor portscan: $HOME_NET 4 3 portscan.log
#
<snip>





Mar 30 00:09:07 12.82.128.93:2956 -> 12.82.128.102:13 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2957 -> 12.82.128.102:21 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2958 -> 12.82.128.102:22 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2959 -> 12.82.128.102:23 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2961 -> 12.82.128.102:42 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2962 -> 12.82.128.102:53 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2963 -> 12.82.128.102:79 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2964 -> 12.82.128.102:80 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2965 -> 12.82.128.102:98 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2966 -> 12.82.128.102:109 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2967 -> 12.82.128.102:110 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2968 -> 12.82.128.102:111 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2969 -> 12.82.128.102:113 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2970 -> 12.82.128.102:118 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2971 -> 12.82.128.102:135 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2972 -> 12.82.128.102:139 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2973 -> 12.82.128.102:156 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2974 -> 12.82.128.102:179 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2975 -> 12.82.128.102:371 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2976 -> 12.82.128.102:443 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2977 -> 12.82.128.102:445 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2978 -> 12.82.128.102:512 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2979 -> 12.82.128.102:513 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2980 -> 12.82.128.102:514 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2981 -> 12.82.128.102:515 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2982 -> 12.82.128.102:540 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2983 -> 12.82.128.102:1080 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2984 -> 12.82.128.102:1433 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2985 -> 12.82.128.102:1494 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2986 -> 12.82.128.102:1993 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2987 -> 12.82.128.102:1999 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2988 -> 12.82.128.102:2049 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2989 -> 12.82.128.102:3128 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2990 -> 12.82.128.102:3389 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2991 -> 12.82.128.102:5631 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2992 -> 12.82.128.102:5632 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2993 -> 12.82.128.102:6789 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2994 -> 12.82.128.102:6790 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2995 -> 12.82.128.102:9100 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2996 -> 12.82.128.102:8080 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2997 -> 12.82.128.102:43188 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2998 -> 12.82.128.102:25867 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:2999 -> 12.82.128.102:5800 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:3000 -> 12.82.128.102:407 SYN ******S* 
Mar 30 00:09:07 12.82.128.93:3001 -> 12.82.128.102:800 SYN ******S* 
Mar 30 00:09:09 12.82.128.93:3006 -> 12.82.128.102:311 SYN ******S* 
Mar 30 00:09:09 12.82.128.93:3008 -> 12.82.128.102:548 SYN ******S* 
Mar 30 00:09:09 12.82.128.93:3009 -> 12.82.128.102:4045 SYN ******S* 


hmm.. here the portscan preprocessor seems to drop a lot of packets..

Mar 30 00:09:11 12.82.128.93:3035 -> 12.82.128.102:113 SYN ******S* 




Back to Firewall Incidents



jsage@finchhaven.com


Last modified: Mon Apr  1 09:45:56 2002