[Snort-users] FTP seen as portscan?

Stephen C Burns sburns at ...2404...
Wed Jun 27 11:03:00 EDT 2001


Hi all, 

I note several entries like the following in my /var/log/snort/alert
file.  These connections are verified as FTP traffic.

[**] spp_portscan: PORTSCAN DETECTED from x.x.x.x (THRESHOLD 4
connections exceeded in 5 seconds) [**]
06/22-14:21:44.903196 
[**] spp_portscan: portscan status from x.x.x.x: 13 connections across 1
hosts: TCP(13), UDP(0) [**]
06/22-14:21:48.357479 
[**] spp_portscan: portscan status from x.x.x.x: 3 connections across 1
hosts: TCP(3), UDP(0) [**]
06/22-14:22:03.874738 
[**] spp_portscan: portscan status from x.x.x.x: 5 connections across 1
hosts: TCP(5), UDP(0) [**]
06/22-14:22:07.083497 
[**] spp_portscan: portscan status from x.x.x.x4: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:11.200503 
[**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:15.096514 
[**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:30.009806 
[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1
hosts: TCP(1), UDP(0) [**]
06/22-14:22:35.086806
[**] spp_portscan: End of portscan from x.x.x.x: TOTAL time(51s)
hosts(1) TCP(49) UDP(0) [**]
06/22-14:22:42.980293 

I realize why FTP could possibly trigger this, but is there a logic in
snort that would allow me to turn this off (other than removing the port
scan rule, of course).  TIA!





More information about the Snort-users mailing list