Hows it going guys, would you be kind enough to help me out with this question. " Briefly explain the following snort output: [**] SCAN Proxy (8080) attempt [**] 10/19-16:05:17.158329 10.1.1.254:55415 -> 10.1.1.67:8080 TCP TTL:64 TOS:0x0 ID:39399 IpLen:20 DgmLen:60 DF ******S* Seq: 0x6E8722C1 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 1206303526 0 NOP WS: 2 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+" Many thanks in advance Cheers pat
hmm this ones a bit too advanced for me...what is this output from?? like what u do to get this output??
definitely an output from way toooo much snort ..!! ..methinks .. umm, must do something about posting pics, one day .. snort, snort, snort ...
bigbaz .. not necessarily so .. that could mean that it is OK to go ahead with the sacking ... ..lol..lol..!!
OH yeah well i suppose, if thats the case i would suggest a plenum pull and some chrome badges , wont help with the sacking but you will have some sweet bling and a bit more reliability
hmmmm well... Being snort is used for intrusion detection my guess is that its picked up someone scanning port 8080 which is commonly used for web proxies. In other words looks like someone is trying to find open proxies and happened to scan your IP. They were probably scanning an entire IP range. Sorry I cant be any more helpful but I havent used snort in a while.
Don't use snort but this looks like an internal query. 10.1.1.254 is sending a ping to 10.1.1.67. Since .254 is using port 55415, and I think 10.1.1.254 is usually one of the addresses used by a server, I'd say the server was sending ..67 a hello or maybe some data on port 8080. The rest of the crap I know bits and pieces of but it isn't as important... EDIT: just rechecked, also, sometimes 8080 is used by some trojans to send data through. Make sure you have a virus-checker running just in case. (though I assume if your playing with port scanners you know enough to have an anti-virus up)
Pat Its a little difficult to understand the switches specified. But if it was somone port scanning externally chances are that your machine would not have responded to a 8080 port request. If you are running a proxy and you hae a predefined port of 8080 then i yes you may have been pinged. I would run a finger on your machine (finger print) to see if there was anything left behind in the recent probe... (geeze this sounds like sexual story HHAHAHAHAH) There are tools out there that can do this for you... Just google it. Or you can try this site http://www.snort.org/archive-2-3029.html I would look at changing the proxy port to a .pac file this will remove the dependency on the port traffic and rather route traffic through a config.. this inturn will allow the specific ports to traverse on your network.... Just a thought... terry
