[Snort-sigs] Spp portscan

Imran William Smith iwsmith at ...500...
Thu May 30 23:48:01 EDT 2002


spp stands for snort pre processor.

Port scans are where somebody uses something like nmap
(www.insecure.org) to scan through all possible ports on
a system, to see which ones respond.  For example, a unix
Machine might well have ssh, smtp, sunrpc ports open.
Once an attacker knows you have those ports open (listening
for incoming connections) they can

(1) make some informed guesses about your architecture,
    and how secure your system is
(2) target future attacks at the programs listening to those ports.

The 'spp preprocessor' detects such scans.

Port scans are unfortunately a big part of being on the internet.
You could notify / complain to every network / host that scans
you.  A lot of the time, they will have been attacked and won't
know it, so you are helping them.  Other times, nobody will
reply.  The best defense is to make sure all unnecessary ports
are closed, after first scanning yourself with nmap.

For a vast amount of security information, I recommend

And of course, www.snort.org 

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

----- Original Message ----- 
From: "Matt" <btc1 at ...608...>
To: "Snort" <snort-sigs at lists.sourceforge.net>
Sent: Friday, May 31, 2002 2:24 PM
Subject: [Snort-sigs] Spp portscan

| Hello All
| Being a newbie to Snort I was wondering if someone could help me with a
| question I had.
| I use snort at home on my personal machines as a way to try to keep track of
| whats going on. I havent been using it long only a few weeks ,I have read
| all I can get my hands on and feel I have a nice basic understanding of it
| and have begun to experiment with custom rules in attempt to maximize its
| effectiveness for this application. I would like to build on what I have
| learned so far and was wondering about recommended reading from the members
| here
| I am running snort on linux mandrake and win xp so i can see what
| differences can be between the two os's.
| The first question i have is what the heck is a spp portscan?
| ive done searches  and dug for info but i dont get the big flick on these
| since i get them so often here are they normal??
| should i be worried (im thinking they are someone probing me but not 100 %
| sure) is it just background noise from the internet ? can i / should i
| modify my rules to ignore them?
| I know this may sound stupid but i gotta start somewhere right?
| Thanks in advance for all your comments
| Sincere Thanks
| Matthew S Barnes
| _______________________________________________________________
| Don't miss the 2002 Sprint PCS Application Developer's Conference
| August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
| _______________________________________________
| Snort-sigs mailing list
| Snort-sigs at lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list