[Snort-users] Stealth scan question...
Ralf.Hildebrandt at ...821...
Wed Mar 14 01:17:15 EST 2001
On Tue, Mar 13, 2001 at 02:01:50PM -0700, JPP wrote:
> These particular entries have been showing up in my IPCHAINS logs for
> quite sometime and are automatically blocked. They come to primarily
> port(s) 17727 and 17746 - the firewall stops them, but SNORT (which I
> just started using to monitor the IRC and web servers) is seeing them as
> possible Stealth scans.
> Possible these are "false positives"?
The portscan preprocessor recognizes certain types of packets as portscan
(e.g. packets with all flags set). If you don't want to see these scans,
scan on another (internal) interface.
ralf.hildebrandt at ...821...
System Engineer innominate AG
Diplom-Informatiker the linux architects
tel: +49.30.308806-62 fax: -698 www.innominate.com
More information about the Snort-users