[Snort-users] spp_portscan

Phil Wood cpw at ...440...
Mon Oct 2 17:09:25 EDT 2000


Folks,

I've noticed a bunch of "source port" traffic alerts like this:

10/02-01:03:59.170861  [**] IDS7/SourcePortTraffic-53-tcp [**] 203.80.237.141:53
 -> my.net.snet.host:111
10/02-01:06:04.535359  [**] IDS7/SourcePortTraffic-53-tcp [**] 203.80.237.141:53
 -> my.net.snet+2.host:111
...

in the "alert" file.

The interesting aspect about this is that the scan loops first through hosts
(1-255) and then snet (1-255) before calculating a destination host to hit
with the port 53 to port 111 packet.

If I were running the portscan plugin, would it see this as a scan?  Is there
an interplay, between rules that sense "scans" (like this one), and whether
portscan records it?  I could answer my on question, except the network that
the portscan is looking at is different that the network in this alert.

Thanks,

Phil



More information about the Snort-users mailing list