[Snort-sigs] Portscan reporting
counter.spy at ...52...
Sat Feb 22 04:11:16 EST 2003
from my experience, portscan-detects due to FTP connections
are quite normal for both active and passive FTP connections.
There are FTP-Clients that open several FTP connections using
different high portnumbers.
The same behavior can be seen for active connections vice-versa.
Another protocol where several connections are opened in a short period of
However, I'd be glad if some other people can confirm this.
From: Antony J. Shepherd [mailto:antony.s at ...1308...]
Sent: Monday, February 17, 2003 3:30 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Portscan reporting
We had this portscan report that went on for hours. When I checked the
portscan.log file, it seemed that the access was originating on port 20
(FTP_Data) at the far end, and chugging through every single port from 1024
onwards on our end. This turned out to be due to a colleague sending a large
file by FTP to a client, and it was the client's IP address that was showing
Any ideas why an FTP upload should get picked up as a portscan by Snort?
Antony J. Shepherd.
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
More information about the Snort-sigs