[Snort-users] Possible Queso Fingerprint attempt?

Fyodor fygrave at ...121...
Thu Mar 15 15:25:36 EST 2001


On Tue, Mar 13, 2001 at 07:00:36PM +0100, Ookhoi wrote:
> Hi!
> 
> Our ISP blocked our webserver for a while because (a) Company mailed
> that they were portscanned by us according to their hereby included
> snort log. 
> 

There's such thing as 'decoy hosts' in nmap. :) Making your site appearing to
do portscanning of that company would be trivial for any script kiddie. (if
this counds as an argument).

Another option could be that you should review those guys snort configuration.
They may just have tuned their portscan detector to scream even if a single
packet to certain host pops up.

hope it helps.
-F






More information about the Snort-users mailing list