[Snort-users] portscan log...

Edwin Pua edwin1118 at ...125...
Fri Feb 1 01:38:01 EST 2002


ah ok...but noticed that my alert file shows a lot of spp_portscan 
packets...are they all false positive alarms? how will i stop this?
sorry, as i am still new to snort.

thankful for your response.


02/01-17:12:01.113781  [**] [100:2:1] spp_portscan: portscan status from 
192.168.1.66: 4 connections across 4 hosts: TCP(0), UDP(4) [**]
02/01-17:12:01.113865  [**] [100:2:1] spp_portscan: portscan status from 
192.168.2.20: 2 connections across 2 hosts: TCP(0), UDP(2) [**]
02/01-17:12:02.122956  [**] [100:2:1] spp_portscan: portscan status from 
192.168.1.12: 5 connections across 5 hosts: TCP(0), UDP(5) [**]
02/01-17:12:03.122865  [**] [100:2:1] spp_portscan: portscan status from 
173.42.4.5: 2 connections across 2 hosts: TCP(0), UDP(2) [**]
02/01-17:12:03.122933  [**] [100:2:1] spp_portscan: portscan status from 
172.42.4.8: 3 connections across 3 hosts: TCP(3), UDP(0) [**]
....


rgds,
Edwin



>From: John Sage <jsage at ...2022...>
>To: Edwin Pua <edwin1118 at ...125...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] portscan log...
>Date: Thu, 31 Jan 2002 06:42:45 -0800
>
>On Thu, Jan 31, 2002 at 06:45:46AM +0000, Edwin Pua wrote:
> >
> > Hi Joe,
> >
> > ok thanx for the explanation..but how am i gonna know that he was 
>already
> > connected to my tcp port? or i was being attacked/hacked by this source 
>ip?
> > i'm using the default rules in my snort box.
>
>If all you ever see are SYN packets from that IP, he's never connected.
>
>A finished connection is a SYN coming in to you, you sending an ACK/SYN 
>back out to him, and him sending an ACK/SYN back to you.
>
>Only *then* is the connection established.
>
>May I recommend "TCP/IP Illustrated, vol.1 WR Stevens, Addison-Wesley 
>pubs..
>
>..read that. It'll make a *lot* of stuff more understandable.
>
>
>- John
>
>--
>Most people don't type their own logfiles;  but, what do I care?


_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com





More information about the Snort-users mailing list