[Snort-sigs] Portscan reporting

Detmar Liesen counter.spy at ...52...
Sat Feb 22 04:11:16 EST 2003

Hi folks,
from my experience, portscan-detects due to FTP connections
are quite normal for both active and passive FTP connections.

There are FTP-Clients that open several FTP connections using 
different high portnumbers.

The same behavior can be seen for active connections vice-versa.

Another protocol where several connections are opened in a short period of
is HTTP.

However, I'd be glad if some other people can confirm this.



-----Original Message-----
From: Antony J. Shepherd [mailto:antony.s at ...1308...]
Sent: Monday, February 17, 2003 3:30 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Portscan reporting

We had this portscan report that went on for hours. When I checked the
portscan.log file, it seemed that the access was originating on port 20
(FTP_Data) at the far end, and chugging through every single port from 1024
onwards on our end. This turned out to be due to a colleague sending a large
file by FTP to a client, and it was the client's IP address that was showing

Any ideas why an FTP upload should get picked up as a portscan by Snort?

Antony J. Shepherd.

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

More information about the Snort-sigs mailing list