[Snort-sigs] Portscan reporting

Detmar Liesen counter.spy at ...52...
Sat Feb 22 04:11:16 EST 2003


Hi folks,
from my experience, portscan-detects due to FTP connections
are quite normal for both active and passive FTP connections.

There are FTP-Clients that open several FTP connections using 
different high portnumbers.

The same behavior can be seen for active connections vice-versa.

Another protocol where several connections are opened in a short period of
time
is HTTP.

However, I'd be glad if some other people can confirm this.

HTH.

Cheers,
Detmar


-----Original Message-----
From: Antony J. Shepherd [mailto:antony.s at ...1308...]
Sent: Monday, February 17, 2003 3:30 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Portscan reporting


We had this portscan report that went on for hours. When I checked the
portscan.log file, it seemed that the access was originating on port 20
(FTP_Data) at the far end, and chugging through every single port from 1024
onwards on our end. This turned out to be due to a colleague sending a large
file by FTP to a client, and it was the client's IP address that was showing
up.

Any ideas why an FTP upload should get picked up as a portscan by Snort?

Yours,
Antony J. Shepherd.

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!





More information about the Snort-sigs mailing list