cpw at ...440...
Mon Oct 2 17:09:25 EDT 2000
I've noticed a bunch of "source port" traffic alerts like this:
10/02-01:03:59.170861 [**] IDS7/SourcePortTraffic-53-tcp [**] 126.96.36.199:53
10/02-01:06:04.535359 [**] IDS7/SourcePortTraffic-53-tcp [**] 188.8.131.52:53
in the "alert" file.
The interesting aspect about this is that the scan loops first through hosts
(1-255) and then snet (1-255) before calculating a destination host to hit
with the port 53 to port 111 packet.
If I were running the portscan plugin, would it see this as a scan? Is there
an interplay, between rules that sense "scans" (like this one), and whether
portscan records it? I could answer my on question, except the network that
the portscan is looking at is different that the network in this alert.
More information about the Snort-users