[Snort-users] FTP seen as portscan?

Stephen C Burns sburns at ...2404...
Wed Jun 27 11:28:01 EDT 2001


Great question.  I know that this is an FTP connect because the source
IP is the internet interface of my NAT router (server is colocated
elsewhere) and my ftpd's logs reflect connection states that match up
with these timestamps.  However, I don't know what type of client this
someone is using.  I know that this person was only logged in once.

-----Original Message-----
From: Paul Murphy [mailto:paul.murphy at ...2217...] 
Sent: Wednesday, June 27, 2001 10:24 AM
To: sburns at ...2404...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] FTP seen as portscan?



Hmm... what is this...  Getright or some other ftp multiconnector?

>>> "Stephen C Burns" <sburns at ...2404...> 6/27/2001 04:03:00 pm >>>

Hi all, 

I note several entries like the following in my /var/log/snort/alert
file.  These connections are verified as FTP traffic.

[**] spp_portscan: PORTSCAN DETECTED from x.x.x.x (THRESHOLD 4
connections exceeded in 5 seconds) [**] 06/22-14:21:44.903196 
[**] spp_portscan: portscan status from x.x.x.x: 13 connections across 1
hosts: TCP(13), UDP(0) [**]
06/22-14:21:48.357479 
[**] spp_portscan: portscan status from x.x.x.x: 3 connections across 1
hosts: TCP(3), UDP(0) [**]
06/22-14:22:03.874738 
[**] spp_portscan: portscan status from x.x.x.x: 5 connections across 1
hosts: TCP(5), UDP(0) [**]
06/22-14:22:07.083497 
[**] spp_portscan: portscan status from x.x.x.x4: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:11.200503 
[**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:15.096514 
[**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:30.009806 
[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1
hosts: TCP(1), UDP(0) [**]
06/22-14:22:35.086806
[**] spp_portscan: End of portscan from x.x.x.x: TOTAL time(51s)
hosts(1) TCP(49) UDP(0) [**]
06/22-14:22:42.980293 

I realize why FTP could possibly trigger this, but is there a logic in
snort that would allow me to turn this off (other than removing the port
scan rule, of course).  TIA!


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------
---------------------------------------------------
CRESTCo Ltd.             The views expressed above are not necessarily
those
33 Cannon Street.        held by CRESTCo Limited.
London  EC4M 5SB (UK)      
+44 (020) 7849 0000     http://www.crestco.co.uk 
------------------------------------------------------------------------
---------------------------------------------------





More information about the Snort-users mailing list