[Snort-users] spp_portscan alerts

Fyodor fygrave at ...121...
Mon Apr 9 09:40:34 EDT 2001


On Mon, Apr 09, 2001 at 09:15:46AM -0400, Jeff Haynie wrote:
> Here is a sample of the code. I have changed the IP addresses but the ports
> are the same.
> 
> Apr  4 01:04:11 128.1.22.5:3372 -> 128.1.19.200:161 UDP
> Apr  4 01:04:11 128.1.22.5:3380 -> 128.1.4.209:161 UDP
> Apr  4 01:04:12 128.1.22.5:3391 -> 128.1.19.203:161 UDP
> Apr  4 01:04:13 128.1.22.5:3430 -> 128.1.19.205:161 UDP
> Apr  4 01:04:14 128.1.22.5:3468 -> 128.1.4.200:161 UDP
> 

Looks like your NT box is talking snmp alot. You may want to add
the box to portscan-ignorehosts list if it is a legimate traffic.





More information about the Snort-users mailing list