[Snort-users] portscan log...
edwin1118 at ...125...
Fri Feb 1 01:38:01 EST 2002
ah ok...but noticed that my alert file shows a lot of spp_portscan
packets...are they all false positive alarms? how will i stop this?
sorry, as i am still new to snort.
thankful for your response.
02/01-17:12:01.113781 [**] [100:2:1] spp_portscan: portscan status from
192.168.1.66: 4 connections across 4 hosts: TCP(0), UDP(4) [**]
02/01-17:12:01.113865 [**] [100:2:1] spp_portscan: portscan status from
192.168.2.20: 2 connections across 2 hosts: TCP(0), UDP(2) [**]
02/01-17:12:02.122956 [**] [100:2:1] spp_portscan: portscan status from
192.168.1.12: 5 connections across 5 hosts: TCP(0), UDP(5) [**]
02/01-17:12:03.122865 [**] [100:2:1] spp_portscan: portscan status from
126.96.36.199: 2 connections across 2 hosts: TCP(0), UDP(2) [**]
02/01-17:12:03.122933 [**] [100:2:1] spp_portscan: portscan status from
188.8.131.52: 3 connections across 3 hosts: TCP(3), UDP(0) [**]
>From: John Sage <jsage at ...2022...>
>To: Edwin Pua <edwin1118 at ...125...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] portscan log...
>Date: Thu, 31 Jan 2002 06:42:45 -0800
>On Thu, Jan 31, 2002 at 06:45:46AM +0000, Edwin Pua wrote:
> > Hi Joe,
> > ok thanx for the explanation..but how am i gonna know that he was
> > connected to my tcp port? or i was being attacked/hacked by this source
> > i'm using the default rules in my snort box.
>If all you ever see are SYN packets from that IP, he's never connected.
>A finished connection is a SYN coming in to you, you sending an ACK/SYN
>back out to him, and him sending an ACK/SYN back to you.
>Only *then* is the connection established.
>May I recommend "TCP/IP Illustrated, vol.1 WR Stevens, Addison-Wesley
>..read that. It'll make a *lot* of stuff more understandable.
>Most people don't type their own logfiles; but, what do I care?
Chat with friends online, try MSN Messenger: http://messenger.msn.com
More information about the Snort-users