[Snort-sigs] Portscan reporting

Antony J. Shepherd antony.s at ...1308...
Mon Feb 17 01:30:14 EST 2003


We had this portscan report that went on for hours. When I checked the
portscan.log file, it seemed that the access was originating on port 20
(FTP_Data) at the far end, and chugging through every single port from 1024
onwards on our end. This turned out to be due to a colleague sending a large
file by FTP to a client, and it was the client's IP address that was showing
up.

Any ideas why an FTP upload should get picked up as a portscan by Snort?

Yours,
Antony J. Shepherd.





More information about the Snort-sigs mailing list