[Snort-sigs] Portscan reporting

Robert Wagner rwagner at ...447...
Mon Feb 17 07:45:11 EST 2003


Thoughts - What was the FTP client that the user was using?  I am not
familiar, but it seems odd that the ftp server would send that many SYN
packets to that many ports on the client machine.  Maybe it was some special
FTP server that (when used with the correct client) could open multiple
sessions??
Kind of odd since IP has the ability to widen the data stream to occupy the
entire bandwidth available.
I haven't had an FTP server get picked up by portscan like that.
Anyone else have any ideas?


-----Original Message-----
From: Antony J. Shepherd [mailto:antony.s at ...1308...]
Sent: Monday, February 17, 2003 8:56 AM
To: snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] Portscan reporting




> -----Original Message-----
> From: Robert Wagner [mailto:rwagner at ...447...]
> Sent: 17 February 2003 14:19
> To: 'antony.s at ...1308...'; snort-sigs at lists.sourceforge.net
> Subject: RE: [Snort-sigs] Portscan reporting
>
>
> What are the settings for portscan in snort.conf?
>
preprocessor portscan: $DTS_NET 4 3 /var/log/snort/portscan.log

where DTS_NET is our range of IP addresses.

The reason I'm not using portscan2 is because that doesn't get picked up by
ACID which I'm using to keep track of what's going on.

Antony J. Shepherd.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list