[Snort-users] spp_portscan alerts

Jeff Haynie jhaynie at ...710...
Mon Apr 9 09:15:46 EDT 2001


Here is a sample of the code. I have changed the IP addresses but the ports
are the same.

Apr  4 01:04:11 128.1.22.5:3372 -> 128.1.19.200:161 UDP
Apr  4 01:04:11 128.1.22.5:3380 -> 128.1.4.209:161 UDP
Apr  4 01:04:12 128.1.22.5:3391 -> 128.1.19.203:161 UDP
Apr  4 01:04:13 128.1.22.5:3430 -> 128.1.19.205:161 UDP
Apr  4 01:04:14 128.1.22.5:3468 -> 128.1.4.200:161 UDP

Thanks,

Jeff Haynie

Martin Roesch wrote:

> What are the alerts you're getting (which type of portscan are you
> seeing) and what are the contents of your portscan.log file?
>
>      -Marty
>
> > I am receiving spp_portscans from an internal NT machine on our
> > network.  It is not continuous but happens severl times during the day.





More information about the Snort-users mailing list