[Snort-users] snort detects portscan?

Joe McAlerney joey at ...47...
Tue Jun 19 19:36:53 EDT 2001


The portscan preprocessor is detecting "stealth" packets.  They will be
alerted on regardless of whether or not you have the source host defined
in portscan-ignorehosts.  There are some good examples of why this
occurs in the archives of this mailing list.  Most recently, it is
caused by ENC packets with Linux 2.4 kernels.

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

alexus wrote:
> 
> un 19 19:05:26 box snort: spp_portscan: portscan status from 216.27.143.184:
> 2 connections across 1 hosts: TCP(1), UDP(1) STEALTH
> Jun 19 19:05:26 box /kernel: Jun 19 19:05:26 box snort: spp_portscan:
> portscan status from 216.27.143.184: 2 connections across 1 hosts: TCP(1),
> UDP(1) STEALTH
> Jun 19 19:05:30 box snort: spp_portscan: End of portscan from
> 216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1) STEALTH
> Jun 19 19:05:30 box /kernel: Jun 19 19:05:30 box snort: spp_portscan: End of
> portscan from 216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1) STEALTH
> 
> i'm geting this in my syslog like every other 10 minutes.. i know that ip is
> not portscaning me 'cause i wouldn't portscan myself:)
> 
> any ideas what could cause that?
> 
> as far as i can tell i do have a bit of communication between my box and
> that pc .. that's dns .. but then again why is it doing every 10 minutes?
> and in snort.conf i put into var DNS_SERVERS i put this ip..
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list