[Snort-users] New to snort...what do these mean???

Joe McAlerney joey at ...155...
Wed Oct 11 12:19:33 EDT 2000


Vitaly McLain wrote:
> 
> Hi,
> 
> >> how can i tell which port they are scanning
> 
> This basic concept of a portscan is this: an attacker scans a wide range of
> ports on your computer

Or a short range, usually one, across many computers.  Or if they are
simply trying to get caught, a wide range of ports across a wide range
of computers.

> 
> I am looking at the log you posted, and I am fairly sure you did NOT get
> portscanned. It was a false positive. Look at this:
> >> across 1 hosts: TCP(1), UDP(0) STEALTH
> Only 1 TCP connection is not a portscan. Even a portscan which scans a small
> range of ports should have connects in the double digits.

You might call it a probe.  It is STEALTH after all.  You would probably
need the packet itself to determine anything further.

-Joe M.



More information about the Snort-users mailing list