[Snort-users] portscan log...

Joe McAlerney joey at ...47...
Thu Jan 31 12:42:02 EST 2002


If Snort has detected activity from this address before, it will have
logged that activity in your "alert" file and under the source IP
address subdirectory of your log directory (defaulting to
/var/log/snort).  You can run SnortSnarf on the log files to display all
activity from that particular IP address.  Alternatively, you can use
Snort's database plugin (or Barnyards) to store alerts in the database,
and view them similarly using ACID.

Hope this helps,

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey at ...47...
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

Edwin Pua wrote:
> 
> Hi Joe,
> 
> ok thanx for the explanation..but how am i gonna know that he was already
> connected to my tcp port? or i was being attacked/hacked by this source ip?
> i'm using the default rules in my snort box.
> 
> rgds,
> edwin
> 
> >From: Joe McAlerney <joey at ...47...>
> >To: Edwin Pua <edwin1118 at ...125...>
> >CC: snort-users at lists.sourceforge.net
> >Subject: Re: [Snort-users] portscan log...
> >Date: Wed, 30 Jan 2002 18:34:13 -0800
> >
> >Hi Edwin,
> >
> >It means the portscanner used TCP packets with only the SYN bit set.
> >These packets are used to initiate TCP connections.  The person is
> >presumably looking for TCP services running on your box.
> >
> >For more information on the portscan plugin, take a look at:
> >
> >http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.4.3
> >
> >-Joe M.
> >
> >--
> >Joe McAlerney
> >Software Developer / Security Consultant
> >joey at ...47...
> >Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/
> >
> >Edwin Pua wrote:
> > >
> > > Hi,
> > >
> > >       I saw this message under my portscan.log file and I know that this
> > > source ip 137.132.83.218 is scanning my ip 211.156.185.143 but what is
> > > SYN*****S* means?
> > >
> > > Jan 29 18:52:34 137.132.83.218:1999 -> 211.156.185.143:3372 SYN ******S*
> > > Jan 29 18:52:34 137.132.83.218:2000 -> 211.156.185.143:3373 SYN ******S*
> > > Jan 29 18:52:35 137.132.83.218:2003 -> 211.156.185.143:3376 SYN ******S*
> > > Jan 29 18:52:36 137.132.83.218:2004 -> 211.166.185.143:3377 SYN ******S*
> > > Jan 29 18:52:36 137.132.83.218:2005 -> 211.166.185.143:3378 SYN ******S*
> > > Jan 29 18:52:37 137.132.83.218:2006 -> 211.166.185.143:3379 SYN ******S*
> > > Jan 29 18:52:37 137.132.83.218:2007 -> 211.166.185.143:3380 SYN ******S*
> > > Jan 29 18:52:38 137.132.83.218:2008 -> 211.166.185.143:3381 SYN ******S*
> > > Jan 29 18:52:38 137.132.83.218:2010 -> 211.166.185.143:3383 SYN ******S*
> > > Jan 29 18:52:39 137.132.83.218:2011 -> 211.166.185.143:3384 SYN ******S*
> > > Jan 29 18:52:39 137.132.83.218:2012 -> 211.166.185.143:3385 SYN ******S*
> > > Jan 29 18:52:40 137.132.83.218:2014 -> 211.166.185.143:3387 SYN ******S*
> > >
> > > rgds,
> > > edwin




More information about the Snort-users mailing list