[Snort-users] portscan ?
athomas at ...5484...
Sat Jun 8 22:23:04 EDT 2002
While analysing what caused a portscan i see
lot of portscans in my network is like this:
Jun 8 22:20:29 A.B.C.97:4998 -> M.N.127.90:80 SYN ******S*
Jun 8 22:20:26 A.B.C.97:4987 -> X.Y.37.101:80 SYN ******S*
Jun 8 22:20:31 A.B.C.97:1033 -> U.M.237.140:80 SYN ******S*
Jun 8 22:20:27 A.B.C.97:4993 -> A.W.209.13:80 SYN ******S*
Jun 8 22:20:28 A.B.C.97:4995 -> P.Q.64.132:80 SYN ******S*
Jun 8 22:20:31 A.B.C.97:1026 -> Q.R.212.39:80 SYN ******S*
Jun 8 22:20:31 A.B.C.97:1031 -> L.M.237.128:80 SYN ******S*
where A.B.C.0 is my network.
I think when A.B.C.97 issues different requests to
different web servers, snort somehow sees this as a portscan.
Can i specify something in the configuration so that
snort will not see this as a portscan.
Any pointers/ideas ?
i am running snort as
./snort -i eth1 -h A.B.C.0/16 -c snort.conf -l./LOGS/ -d
More information about the Snort-users