[Snort-users] "portscans" that only hit one host, one time?
Keith.McCammon at ...3497...
Fri Aug 9 10:51:03 EDT 2002
[WARNING: Slightly off-topic]
> Aug 9 11:48:39 18.104.22.168:2051 -> xxx.yyy.zzz.66:443
> NOACK *2U*PRS*
I don't know much about spp_portscan internals, so I'm not sure why this was logged. However, I'd sure as hell qualify this as a portscan. This packet is definitely crafted to bypass a filter or elicit a response for fingerprinting or the like.
More information about the Snort-users