[Snort-users] spp_portscan alerts

Blake Frantz blake at ...319...
Mon Apr 9 13:30:12 EDT 2001


Looks like a scan for SNMP enabled devices.

Blake

================================================================= 

On Mon, 9 Apr 2001, Jeff Haynie wrote:

> Here is a sample of the code. I have changed the IP addresses but the ports
> are the same.
> 
> Apr  4 01:04:11 128.1.22.5:3372 -> 128.1.19.200:161 UDP
> Apr  4 01:04:11 128.1.22.5:3380 -> 128.1.4.209:161 UDP
> Apr  4 01:04:12 128.1.22.5:3391 -> 128.1.19.203:161 UDP
> Apr  4 01:04:13 128.1.22.5:3430 -> 128.1.19.205:161 UDP
> Apr  4 01:04:14 128.1.22.5:3468 -> 128.1.4.200:161 UDP
> 
> Thanks,
> 
> Jeff Haynie
> 
> Martin Roesch wrote:
> 
> > What are the alerts you're getting (which type of portscan are you
> > seeing) and what are the contents of your portscan.log file?
> >
> >      -Marty
> >
> > > I am receiving spp_portscans from an internal NT machine on our
> > > network.  It is not continuous but happens severl times during the day.
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list