[Snort-users] ftp scans

Saragoth nntk saragoth at ...131...
Wed Apr 4 04:44:55 EDT 2001


I'm running Snort v1.7, my portscan.log is getting
alot of this:

Apr  3 08:40:50 xxx.xxx.xxx.xxx:4882 ->
xxx.xxx.xxx.67:21 SYN ******S* 
Apr  3 08:40:50 xxx.xxx.xxx.xxx:4885 ->
xxx.xxx.xxx.70:21 SYN ******S* 
Apr  3 08:40:50 xxx.xxx.xxx.xxx:4886 ->
xxx.xxx.xxx71:21 SYN ******S*

This looks to me like someone is scanning for ftps on
our network, I would like to have the scans that hits
port 21 be reported to alert file, but i can seem to
write the correct rule for it, anyone that can help me ?

Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 

More information about the Snort-users mailing list