[Snort-users] ftp scans

Dr SuSE drsuse at ...748...
Wed Apr 4 09:17:05 EDT 2001


alert tcp $EXTERNAL any -> $INTERNAL 21 (msg: "FTP Probe"; flags: S;)

> Hello
> 
> I'm running Snort v1.7, my portscan.log is getting
> alot of this:
> 
> Apr  3 08:40:50 xxx.xxx.xxx.xxx:4882 ->
> xxx.xxx.xxx.67:21 SYN ******S* 
> Apr  3 08:40:50 xxx.xxx.xxx.xxx:4885 ->
> xxx.xxx.xxx.70:21 SYN ******S* 
> Apr  3 08:40:50 xxx.xxx.xxx.xxx:4886 ->
> xxx.xxx.xxx71:21 SYN ******S*
> 
> This looks to me like someone is scanning for ftps on
> our network, I would like to have the scans that hits
> port 21 be reported to alert file, but i can seem to
> write the correct rule for it, anyone that can help me ?
> 
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail. 
> http://personal.mail.yahoo.com/
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




---------------------------------------------
Microsoft ist nicht installiert.
http://www.drsuse.org/






More information about the Snort-users mailing list