[Snort-sigs] Portscan reporting

Robert Wagner rwagner at ...447...
Mon Feb 17 06:20:03 EST 2003

What are the settings for portscan in snort.conf?

# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen at ...849...>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.

# preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.

-----Original Message-----
From: Antony J. Shepherd [mailto:antony.s at ...1308...]
Sent: Monday, February 17, 2003 3:30 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Portscan reporting

We had this portscan report that went on for hours. When I checked the
portscan.log file, it seemed that the access was originating on port 20
(FTP_Data) at the far end, and chugging through every single port from 1024
onwards on our end. This turned out to be due to a colleague sending a large
file by FTP to a client, and it was the client's IP address that was showing

Any ideas why an FTP upload should get picked up as a portscan by Snort?

Antony J. Shepherd.

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list