[Snort-users] guardian + snort

Dariusz Brzeziński dariusz.brzezinski at ...3372...
Sat Sep 8 04:25:01 EDT 2001


Hello to all - I'm new here :-)

I don't know if someone of you is using snort+guardian, but I'd like
to have one question:
Why does guardian sees

[**] [1:1002:1]  <ppp0> WEB-IIS cmd.exe access [**]

in snort's alert file and correctly blocks it and DOES NOT see:

[**] [100:1:1]  <ppp0> spp_portscan: PORTSCAN DETECTED on ppp0 from 212.106.168.62 (THRESHOLD 4 connections exceeded in 0 seco
09/08-03:49:41.593784

[**] [100:2:1]  <ppp0> spp_portscan: portscan status from 212.106.168.62: 44 connections across 1 hosts: TCP(44), UDP(0) [**]
09/08-03:49:45.055077

In the end it blocks less important things and does not portscanning.

TIA for help

  

-- 
Best regards,
 Dariusz                          mailto:dariusz.brzezinski at ...3372...





More information about the Snort-users mailing list