[Snort-users] PortScan stupid Question

Charles-Henri Hallard ch.hallard at ...628...
Thu Oct 12 06:14:51 EDT 2000


I may have a stupid question about portscan

I have a lot of portscan that seems fired when internal users are surfing
(always samer host that is www.multimania.com) 

in my snort ruleset 
preprocessor portscan 62.161.231.224/29 10 10 /var/log/snort_portscan.log

In log
231.193.0.30:80 -> 62.161.231.225:1096 UNKNOWN 2*S***A* RESERVED BITS
231.193.0.30:80 -> 62.161.231.225:1138 UNKNOWN 2*S***A* RESERVED BITS
231.193.0.30:80 -> 62.161.231.225:1140 UNKNOWN 2*S***A* RESERVED BITS
231.193.0.30:80 -> 62.161.231.225:1145 UNKNOWN 2*S***A* RESERVED BITS

I think my users are connected to 231.193.0.30:80 and then when the host
re-open port on the over side on a port >1024 it detect a portscan

Any way to avoid this or maybe i don't understand all what happen

Thank's





More information about the Snort-users mailing list