[Snort-users] Finding out more info ...

Stuart Grimshaw stuart at ...4204...
Wed Jan 9 07:42:18 EST 2002


I get very few alerts from Snort, and even fewer that aren't something to do 
with Codered, but when I do get them I like to try and at least bone up on 
what they are & what might be causing them, so ...

1) Is there an alternative to whitehats?

or ...

2) What might be causing this (from Demarc)...

DS ALERT at: 2002-01-09 15:03:22
SIGNATURE: spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 305
SRC IP: 24.201.12.2
DST IP: 212.56.92.26
______________________________
IDS ALERT at: 2002-01-09 15:04:14
SIGNATURE: spp_portscan: PORTSCAN DETECTED to port 22 from 24.201.12.2 
(STEALTH)
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 306
SRC IP: 0.0.0.0
DST IP: 0.0.0.0
______________________________
IDS ALERT at: 2002-01-09 15:05:08
SIGNATURE: spp_portscan: portscan status from 24.201.12.2: 2 connections 
across 1 hosts: TCP(2), UDP(0) STEALTH
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 307
SRC IP: 0.0.0.0
DST IP: 0.0.0.0
______________________________

IDS ALERT at: 2002-01-09 15:04:14
SIGNATURE: spp_portscan: PORTSCAN DETECTED to port 22 from 24.201.12.2 
(STEALTH)
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 306
SRC IP: 0.0.0.0
DST IP: 0.0.0.0
______________________________

IDS ALERT at: 2002-01-09 15:05:08
SIGNATURE: spp_portscan: portscan status from 24.201.12.2: 2 connections 
across 1 hosts: TCP(2), UDP(0) STEALTH
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 307
SRC IP: 0.0.0.0
DST IP: 0.0.0.0
______________________________
IDS ALERT at: 2002-01-09 15:07:10
SIGNATURE: spp_portscan: End of portscan from 24.201.12.2: TOTAL time(4s) 
hosts(1) TCP(2) UDP(0) STEALTH
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 308
SRC IP: 0.0.0.0
DST IP: 0.0.0.0

-- 

| Stuart Grimshaw <stuart at ...4205...>
| Chief Operations Officer
| Football Networks Ltd
|-
| t:07976 625221
| f:0870 7060260




More information about the Snort-users mailing list