[Snort-users] is there anyway of stoping this?

Ryan Russell ryan at ...35...
Thu May 31 14:43:17 EDT 2001


On Thu, 31 May 2001, Ben Johansen wrote:

> I have looked at whitehats.com and found not direct reference to this
> portscan

the spp_ indictates that it's the Snort Pre-Processor that's spotting
these, not a whitehats rule, I think.

>
> --start log view---
> 05/31-01:53:39.840000  [**] spp_portscan: PORTSCAN DETECTED from
> 156.46.219.190 (STEALTH) [**]
> 05/31-01:54:32.255000  [**] spp_portscan: portscan status from
> 156.46.219.190: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH [**]
> 05/31-01:55:35.155000  [**] spp_portscan: End of portscan from
> 156.46.219.190: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH [**]
> --end log view---
>
> Can it be stopped?

I think this FAQ items starts to address your question, though it's not a
complete answer:
http://www.snort.org/FAQ.html#q18

> Is there a hole I have missed?

This log item is simply telling you that you're getting a port scan.  It
doesn't indicate whether a particular attempt is being made.

					Ryan





More information about the Snort-users mailing list