portscans while playing counterstrike

Dennis Koslowski dkoslowski@astaro.com
Mon, 16 Jul 2001 09:28:38 +0200 

This is a multi-part message in MIME format.

------_=_NextPart_001_01C10DC8.EE4CB960
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

According to Frank's rules, these are the packets that were logged AFTER
the "portscan" was detected. It's a feature ;) The psd was initally
developed as a target, and has logged the initial scanned port sequence.
After the release, you Netfilter guys have re-implement it as a match.
It's OK, but now the psd misses a probability to read the information
about the initial sequence. It could be done via /proc framework, is
simple, but I have no time for it yet :)

--
Dennis Koslowski <dkoslowski@astaro.de>  | Product Development
Astaro AG | http://www.astaro.de  | +49-721-490069-0 | Fax -55


> -----Original Message-----
> From: Alexander Demenshin [mailto:aldem-nf@aldem.net]
> Sent: Sunday, July 15, 2001 9:09 PM
> To: netfilter@us5.samba.org
> Subject: Re: portscans while playing counterstrike
>=20
>=20
> On Sun, Jul 15, 2001 at 03:42:18PM +0200, duranicub@t-online.de wrote:
>=20
> > $IPTABLES -I PREROUTING -t mangle -i ppp0 -m psd -m limit --limit=20
> > 5/minute -j LOG --log-prefix '####P O R T   S C A N####'=20
> >=20
> > ... has 2 times reported that the Counterstrike Server i was playing
> > does done Portscans against me WHILE IAM PLAYING THERE.
>=20
>   According to info in your log, this is not portscan, and=20
> this is normal.
>=20
>   Packets which are going from port 27015 from the server are just
>   part of communication, nothing more. Problem is in `psd'=20
> match, which
>   is erroneously treat those packets as portscan (I've no idea why,
>   normally portscan is something that is spread over several=20
> pors and/or
>   host in short period of time, in your case there is only one port).
>=20
> /Al
>=20
>=20

------_=_NextPart_001_01C10DC8.EE4CB960
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.4417.0">
<TITLE>RE: portscans while playing counterstrike</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=3D2>According to Frank's rules, these are the packets that =
were logged AFTER the &quot;portscan&quot; was detected. It's a feature =
;) The psd was initally developed as a target, and has logged the =
initial scanned port sequence. After the release, you Netfilter guys =
have re-implement it as a match. It's OK, but now the psd misses a =
probability to read the information about the initial sequence. It could =
be done via /proc framework, is simple, but I have no time for it yet =
:)</FONT></P>

<P><FONT SIZE=3D2>--</FONT>

<BR><FONT SIZE=3D2>Dennis Koslowski &lt;dkoslowski@astaro.de&gt;&nbsp; | =
Product Development</FONT>

<BR><FONT SIZE=3D2>Astaro AG | <A =
HREF=3D"http://www.astaro.de">http://www.astaro.de</A>&nbsp; | =
+49-721-490069-0 | Fax -55</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>&gt; -----Original Message-----</FONT>

<BR><FONT SIZE=3D2>&gt; From: Alexander Demenshin [<A =
HREF=3D"mailto:aldem-nf@aldem.net">mailto:aldem-nf@aldem.net</A>]</FONT>

<BR><FONT SIZE=3D2>&gt; Sent: Sunday, July 15, 2001 9:09 PM</FONT>

<BR><FONT SIZE=3D2>&gt; To: netfilter@us5.samba.org</FONT>

<BR><FONT SIZE=3D2>&gt; Subject: Re: portscans while playing =
counterstrike</FONT>

<BR><FONT SIZE=3D2>&gt; </FONT>

<BR><FONT SIZE=3D2>&gt; </FONT>

<BR><FONT SIZE=3D2>&gt; On Sun, Jul 15, 2001 at 03:42:18PM +0200, =
duranicub@t-online.de wrote:</FONT>

<BR><FONT SIZE=3D2>&gt; </FONT>

<BR><FONT SIZE=3D2>&gt; &gt; $IPTABLES -I PREROUTING -t mangle -i ppp0 =
-m psd -m limit --limit </FONT>

<BR><FONT SIZE=3D2>&gt; &gt; 5/minute -j LOG --log-prefix '####P O R =
T&nbsp;&nbsp; S C A N####' </FONT>

<BR><FONT SIZE=3D2>&gt; &gt; </FONT>

<BR><FONT SIZE=3D2>&gt; &gt; ... has 2 times reported that the =
Counterstrike Server i was playing</FONT>

<BR><FONT SIZE=3D2>&gt; &gt; does done Portscans against me WHILE IAM =
PLAYING THERE.</FONT>

<BR><FONT SIZE=3D2>&gt; </FONT>

<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp; According to info in your log, this =
is not portscan, and </FONT>

<BR><FONT SIZE=3D2>&gt; this is normal.</FONT>

<BR><FONT SIZE=3D2>&gt; </FONT>

<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp; Packets which are going from port =
27015 from the server are just</FONT>

<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp; part of communication, nothing more. =
Problem is in `psd' </FONT>

<BR><FONT SIZE=3D2>&gt; match, which</FONT>

<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp; is erroneously treat those packets =
as portscan (I've no idea why,</FONT>

<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp; normally portscan is something that =
is spread over several </FONT>

<BR><FONT SIZE=3D2>&gt; pors and/or</FONT>

<BR><FONT SIZE=3D2>&gt;&nbsp;&nbsp; host in short period of time, in =
your case there is only one port).</FONT>

<BR><FONT SIZE=3D2>&gt; </FONT>

<BR><FONT SIZE=3D2>&gt; /Al</FONT>

<BR><FONT SIZE=3D2>&gt; </FONT>

<BR><FONT SIZE=3D2>&gt; </FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C10DC8.EE4CB960--