[Snort-users] Portscan from own interface

Subba Rao subba9 at ...530...
Wed May 16 02:55:10 EDT 2001


On  0, Midnight shadow <p.selder at ...2006...> wrote:
> On Wednesday 16 May 2001 07:37, Subba Rao wrote:
> 
> >
> > I am seeing similar messages in my snort logs. I hope it is only spoofing
> > and not that my machine has been compromised.
> 
> I found out what was the cause with my machine.
> When someone made a connection thru the firewall to surf the web these 
> messages were generated because I removed a few ports from the pre-prosessor. 
> I removed port 80 and 443 for instance.
> Now I added them back and the logs are quit now. (except for a real portscan)
> 
> Hope this helps
> 
> > [**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1
> > hosts: TCP(1), UDP(0) [**] 05/16-05:19:37.397711
> >
> 

Thank you for replying. These entries in my logs were from last night. I don't
think I had my browser open (which does update news pretty frequently). The
preprocessor statements I have are,

preprocessor http_decode: 80 8080
preprocessor minfrag: 128

How can I find out from the "spp_portscan" log message, which ports are
involved?

Thank you once again.
-- 

Subba Rao
subba9 at ...530...
http://members.home.net/subba9/

GPG public key ID 27FC9217




More information about the Snort-users mailing list