[Snort-sigs] Spp portscan

Matt btc1 at ...608...
Fri May 31 02:50:13 EDT 2002


Hello Mr.Imran William smith

Thank you for your thoughtful and very helpful comments. I appreciate you
taking the time to respond. I am trying to absorb as much information as
fast as I can and your comments will give me many more things to study!
I have traced the several of the portscans back and found that some are from
valid internet addresses like CNET.com? and others are from sites with less
reputable reputations. So I will be attempting to add the good sites to a
list of ignored alarms so I don't get as many false positives. As for the
bad sites I am still debating how to deal with them. I have forwarded some
of the logs to my isp but never get a response from them. I am assuming they
have the same problems as me to deal with so I don't expect much but figure
maybe on an off chance they will be helpful in some way.
I have also tried to harden my system as much as I can (ongong process at
best) and hope that someday soon I can get that warm fuzzy feeling that my
systems are secure but I am not there yet.
I am a little disappointed that I haven't figured out how to auto block the
scans in windows like I can in linux using portsentry . Do you know of a
product that will allow this type of automatic response to malicious
activity?

Again thanks for your time, Have a great day.

Sincerely
Matthew S Barnes

-----Original Message-----
From: Imran William Smith [mailto:iwsmith at ...500...]
Sent: Friday, May 31, 2002 2:47 AM
To: Matt
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Spp portscan


Matt,

spp stands for snort pre processor.

Port scans are where somebody uses something like nmap
(www.insecure.org) to scan through all possible ports on
a system, to see which ones respond.  For example, a unix
Machine might well have ssh, smtp, sunrpc ports open.
Once an attacker knows you have those ports open (listening
for incoming connections) they can

(1) make some informed guesses about your architecture,
    and how secure your system is
(2) target future attacks at the programs listening to those ports.

The 'spp preprocessor' detects such scans.

Port scans are unfortunately a big part of being on the internet.
You could notify / complain to every network / host that scans
you.  A lot of the time, they will have been attacked and won't
know it, so you are helping them.  Other times, nobody will
reply.  The best defense is to make sure all unnecessary ports
are closed, after first scanning yourself with nmap.

For a vast amount of security information, I recommend
www.securityfocus.com
http://rr.sans.org
http://www.theregus.com/content/55/index.html

And of course, www.snort.org


--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia



----- Original Message -----
From: "Matt" <btc1 at ...608...>
To: "Snort" <snort-sigs at lists.sourceforge.net>
Sent: Friday, May 31, 2002 2:24 PM
Subject: [Snort-sigs] Spp portscan


| Hello All
| Being a newbie to Snort I was wondering if someone could help me with a
| question I had.
|
| I use snort at home on my personal machines as a way to try to keep track
of
| whats going on. I havent been using it long only a few weeks ,I have read
| all I can get my hands on and feel I have a nice basic understanding of it
| and have begun to experiment with custom rules in attempt to maximize its
| effectiveness for this application. I would like to build on what I have
| learned so far and was wondering about recommended reading from the
members
| here
| I am running snort on linux mandrake and win xp so i can see what
| differences can be between the two os's.
| The first question i have is what the heck is a spp portscan?
| ive done searches  and dug for info but i dont get the big flick on these
| since i get them so often here are they normal??
| should i be worried (im thinking they are someone probing me but not 100 %
| sure) is it just background noise from the internet ? can i / should i
| modify my rules to ignore them?
|
| I know this may sound stupid but i gotta start somewhere right?
|
| Thanks in advance for all your comments
|
| Sincere Thanks
|
| Matthew S Barnes
|
|
| _______________________________________________________________
|
| Don't miss the 2002 Sprint PCS Application Developer's Conference
| August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
|
| _______________________________________________
| Snort-sigs mailing list
| Snort-sigs at lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/snort-sigs
|





More information about the Snort-sigs mailing list