[Snort-users] spp_portscan alerts
blake at ...319...
Mon Apr 9 13:30:12 EDT 2001
Looks like a scan for SNMP enabled devices.
On Mon, 9 Apr 2001, Jeff Haynie wrote:
> Here is a sample of the code. I have changed the IP addresses but the ports
> are the same.
> Apr 4 01:04:11 18.104.22.168:3372 -> 22.214.171.124:161 UDP
> Apr 4 01:04:11 126.96.36.199:3380 -> 188.8.131.52:161 UDP
> Apr 4 01:04:12 184.108.40.206:3391 -> 220.127.116.11:161 UDP
> Apr 4 01:04:13 18.104.22.168:3430 -> 22.214.171.124:161 UDP
> Apr 4 01:04:14 126.96.36.199:3468 -> 188.8.131.52:161 UDP
> Jeff Haynie
> Martin Roesch wrote:
> > What are the alerts you're getting (which type of portscan are you
> > seeing) and what are the contents of your portscan.log file?
> > -Marty
> > > I am receiving spp_portscans from an internal NT machine on our
> > > network. It is not continuous but happens severl times during the day.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users