[Snort-users] Portscans using spp_portscan

Erek Adams erek at ...577...
Tue Oct 16 22:22:19 EDT 2001


On Wed, 17 Oct 2001, Shane Machon wrote:

> Greetings,

We are from the planet Snort.  All bow to our Master--Snorticus.

[God--Too much late night SciFi Channel....]

> I am seeing constant portscans from my local ip address when running the
> stream4 detect portscans plugin.
>
> spp_portscan: PORTSCAN DETECTED from (My Local IP)
> spp_portscan: portscan status from (My Local IP): 1 connections across 1
> hosts: TCP(1), UDP(0)
> spp_portscan: portscan status from (My Local IP): 2 connections across 2
> hosts: TCP(1), UDP(1)
> spp_portscan: portscan status from (My Local IP): 1 connections across 1
> hosts: TCP(1), UDP(0)
> ...........................

Actually that's not from stream4 it's from spp_portscan.

> How is this possible? Nobody is running a portscanner of any type from
> this machine, the system is not running dns or web traffic (only smtp).

Is SMTP the only traffic you see to this box?  If you do a 'snort -dv host <my
local ip>', what traffic does it show on the screen?

Can you view these packets?  Are you logging them?  If you are, dump them back
and view the decoded output.  You might see something in the decode that might
let you know what's going on.

Ping thought:  What is your snort.conf entry for the spp_portscan config?  The
one that's something like "preprocessor portscan: $HOME_NET 7 4 portscan.log".

> Am i missing something simple? Should I be worried?

It might not even be something simple, but something does sound odd.  I'd say
no.  It sounds more like a misconfiguration to me.

> Using Redhat 7.0 Snort 1.8.1 RPM Package (no DB Support)

Ug...  I'm sorry.  ;-)

> Any help appreciated.

I guess 'move off of RH' wouldn't be feasible?  *grin*

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list