[Snort-users] is there anyway of stoping this?
ryan at ...35...
Thu May 31 14:43:17 EDT 2001
On Thu, 31 May 2001, Ben Johansen wrote:
> I have looked at whitehats.com and found not direct reference to this
the spp_ indictates that it's the Snort Pre-Processor that's spotting
these, not a whitehats rule, I think.
> --start log view---
> 05/31-01:53:39.840000 [**] spp_portscan: PORTSCAN DETECTED from
> 220.127.116.11 (STEALTH) [**]
> 05/31-01:54:32.255000 [**] spp_portscan: portscan status from
> 18.104.22.168: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH [**]
> 05/31-01:55:35.155000 [**] spp_portscan: End of portscan from
> 22.214.171.124: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH [**]
> --end log view---
> Can it be stopped?
I think this FAQ items starts to address your question, though it's not a
> Is there a hole I have missed?
This log item is simply telling you that you're getting a port scan. It
doesn't indicate whether a particular attempt is being made.
More information about the Snort-users