[Snort-users] ftp scans
saragoth at ...131...
Wed Apr 4 04:44:55 EDT 2001
I'm running Snort v1.7, my portscan.log is getting
alot of this:
Apr 3 08:40:50 xxx.xxx.xxx.xxx:4882 ->
xxx.xxx.xxx.67:21 SYN ******S*
Apr 3 08:40:50 xxx.xxx.xxx.xxx:4885 ->
xxx.xxx.xxx.70:21 SYN ******S*
Apr 3 08:40:50 xxx.xxx.xxx.xxx:4886 ->
xxx.xxx.xxx71:21 SYN ******S*
This looks to me like someone is scanning for ftps on
our network, I would like to have the scans that hits
port 21 be reported to alert file, but i can seem to
write the correct rule for it, anyone that can help me ?
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
More information about the Snort-users