[Snort-users] "portscans" that only hit one host, one time?

McCammon, Keith Keith.McCammon at ...3497...
Fri Aug 9 10:51:03 EDT 2002


[WARNING: Slightly off-topic]

> Aug  9 11:48:39 204.210.241.146:2051 -> xxx.yyy.zzz.66:443 
> NOACK *2U*PRS*

I don't know much about spp_portscan internals, so I'm not sure why this was logged.  However, I'd sure as hell qualify this as a portscan.  This packet is definitely crafted to bypass a filter or elicit a response for fingerprinting or the like.   




More information about the Snort-users mailing list