[Snort-users] New to snort...what do these mean???
joey at ...155...
Wed Oct 11 12:19:33 EDT 2000
Vitaly McLain wrote:
> >> how can i tell which port they are scanning
> This basic concept of a portscan is this: an attacker scans a wide range of
> ports on your computer
Or a short range, usually one, across many computers. Or if they are
simply trying to get caught, a wide range of ports across a wide range
> I am looking at the log you posted, and I am fairly sure you did NOT get
> portscanned. It was a false positive. Look at this:
> >> across 1 hosts: TCP(1), UDP(0) STEALTH
> Only 1 TCP connection is not a portscan. Even a portscan which scans a small
> range of ports should have connects in the double digits.
You might call it a probe. It is STEALTH after all. You would probably
need the packet itself to determine anything further.
More information about the Snort-users