[Snort-users] snort detects portscan?
joey at ...47...
Tue Jun 19 19:36:53 EDT 2001
The portscan preprocessor is detecting "stealth" packets. They will be
alerted on regardless of whether or not you have the source host defined
in portscan-ignorehosts. There are some good examples of why this
occurs in the archives of this mailing list. Most recently, it is
caused by ENC packets with Linux 2.4 kernels.
| Joe McAlerney joey at ...155... |
| Silicon Defense - Technical Support for Snort |
| http://www.silicondefense.com/ |
> un 19 19:05:26 box snort: spp_portscan: portscan status from 126.96.36.199:
> 2 connections across 1 hosts: TCP(1), UDP(1) STEALTH
> Jun 19 19:05:26 box /kernel: Jun 19 19:05:26 box snort: spp_portscan:
> portscan status from 188.8.131.52: 2 connections across 1 hosts: TCP(1),
> UDP(1) STEALTH
> Jun 19 19:05:30 box snort: spp_portscan: End of portscan from
> 184.108.40.206: TOTAL time(1s) hosts(1) TCP(1) UDP(1) STEALTH
> Jun 19 19:05:30 box /kernel: Jun 19 19:05:30 box snort: spp_portscan: End of
> portscan from 220.127.116.11: TOTAL time(1s) hosts(1) TCP(1) UDP(1) STEALTH
> i'm geting this in my syslog like every other 10 minutes.. i know that ip is
> not portscaning me 'cause i wouldn't portscan myself:)
> any ideas what could cause that?
> as far as i can tell i do have a bit of communication between my box and
> that pc .. that's dns .. but then again why is it doing every 10 minutes?
> and in snort.conf i put into var DNS_SERVERS i put this ip..
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users