[Snort-users] spp_portscan

Kevin Brown Kevin.M.Brown at ...1022...
Fri Jun 22 11:34:16 EDT 2001


spp == Snort Preprocessor Plugin
portscan == Snort Portscan Plugin

This alert was not generated by a rule, therefore no packets were captured
to log.  The alert was generated by a seperate program that comes with
snort.

In snort.conf look for a line like:
preprocessor portscan: $HOME_NET 10 3 portscan.log

Which says alert on any external system hitting systems in $HOME_NET at a
rate greater than or equal to 10 systems in 3 seconds (these two numbers may
be different in your config).

-----Original Message-----
From: niko at ...2371... [mailto:niko at ...2371...]
Sent: Friday, June 22, 2001 08:17
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] spp_portscan



  Since putting this firewall up I have been receiving a barage of alerts
with the following information.  It doesn't seem to give me much to go on
and I have been unable to find any decent info about what exactly an
spp_portscan is.  Plus I find it extremely odd that there is no source or
destination info short of what shows up in the "Triggered
Signature" section of ACID.  Also, there is no payload info.  Maybe I am
missing something obvious but would greatly appreciate any light anyone
can shed on this issue. 

Thank you,

Niko

#1-(39-908)  spp_portscan: portscan status from my.dns.server.ip: 1
connections across 1 hosts: TCP(0), UDP(1) 2001-06-22 10:45:18  unknown
unknown  IP


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list