[Snort-users] New to snort...what do these mean???

Ralf Hildebrandt Ralf.Hildebrandt at ...22...
Tue Oct 10 13:04:05 EDT 2000


On Tue, Oct 10, 2000 at 09:35:55AM -0400, Michael Packer wrote:

> snort[6807]: spp_portscan: PORTSCAN DETECTED from 216.35.172.137
> snort[6807]: spp_portscan: portscan status from 216.35.172.137: 1 connections
> across 1 hosts: TCP(1), UDP(0) STEALTH

A single syn packet from 216.35.172.137 triggered the portscan preprocessor

> snort[6807]: PING-ICMP Destination Unreachable: 203.200.47.173
> snort[6807]: PING-ICMP Time Exceeded .....
> snort[6807]: PING-ICMP MISC - Large ICMP Packet  ....
> 
> which of these should i be worried about???

The portscan
 
> i tried checking for a directory in my log section for 216.35.172.137
> but there was nothing...

Depends on how your snort logs! If it logs in binary format, you'll have to
process the binary log in order to get cleartext

-- 
ralf.hildebrandt at ...22...
Dipl.-Informatiker                                       innominate AG
system engineer                                      networking people
tel: +49.30.308806-62  fax: -77   http://innominate.de  pgp at request
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 358 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001010/176812f4/attachment.sig>


More information about the Snort-users mailing list