[Snort-devel] portscan?

Erek Adams erek at ...105...
Fri Sep 21 08:15:03 EDT 2001

On Fri, 21 Sep 2001, Lukasz Gogolewski wrote:

> Does it mean that my machine runs portscan?
> [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from xxxxxxxxxxxx (THRESHOLD 4 connections exceeded in 2 seconds) [**]
> 09/21-10:18:05.851650
> [**] [100:2:1] spp_portscan: portscan status from xxxxxxxxxxxxxx: 7 connections across 7 hosts: TCP(6), UDP(1) [**]
> 09/21-10:18:09.130737

Not unless the xxxxxxxxxxxx is your IP.  If it's from an external net, it
normally means that someone at that xxxxxxxxxxxx IP scanned your net.  Have a
look in your logs directory (/var/log/snort, perhaps?) for a file called
portscan.log.  That file will show who scaned which hosts and what port.

Hope this helps!

Erek Adams

More information about the Snort-devel mailing list