[Snort-users] Stealth scan question...

Ralf Hildebrandt Ralf.Hildebrandt at ...821...
Wed Mar 14 01:17:15 EST 2001

On Tue, Mar 13, 2001 at 02:01:50PM -0700, JPP wrote:

> These particular entries have been showing up in my IPCHAINS logs for
> quite sometime and are automatically blocked. They come to primarily
> port(s) 17727 and 17746  - the firewall stops them, but SNORT (which I
> just started using to monitor the IRC and web servers) is seeing them as
> possible Stealth scans.
> Possible these are "false positives"?

The portscan preprocessor recognizes certain types of packets as portscan
(e.g. packets with all flags set). If you don't want to see these scans,
scan on another (internal) interface.

ralf.hildebrandt at ...821...
System Engineer                                            innominate AG
Diplom-Informatiker                                 the linux architects
tel: +49.30.308806-62  fax: -698                      www.innominate.com

More information about the Snort-users mailing list