[Snort-users] portscan ?

Estes, Matt PEO EIS CPR / FCBS Matt.Estes at ...5454...
Mon Jun 10 13:28:05 EDT 2002


In your portscan config line in snort.conf, make sure you aren't watching
all hosts (especially external ones) for portscans.

Matt

> -----Original Message-----
> From: Ashley Thomas [mailto:athomas at ...5484...]
> Sent: Sunday, June 09, 2002 1:22 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] portscan ?
> 
> 
> Hi,
> 
> While analysing what caused a portscan i see 
> lot of portscans in my network is like this:
> 
> Jun  8 22:20:29 A.B.C.97:4998 -> M.N.127.90:80 SYN ******S*
> Jun  8 22:20:26 A.B.C.97:4987 -> X.Y.37.101:80 SYN ******S*
> Jun  8 22:20:31 A.B.C.97:1033 -> U.M.237.140:80 SYN ******S*
> Jun  8 22:20:27 A.B.C.97:4993 -> A.W.209.13:80 SYN ******S*
> Jun  8 22:20:28 A.B.C.97:4995 -> P.Q.64.132:80 SYN ******S*
> Jun  8 22:20:31 A.B.C.97:1026 -> Q.R.212.39:80 SYN ******S*
> Jun  8 22:20:31 A.B.C.97:1031 -> L.M.237.128:80 SYN ******S*
> where A.B.C.0 is my network.
> 
> I think when A.B.C.97 issues different requests to 
> different web servers, snort somehow sees this as a portscan.
> 
> Can i specify something in the configuration so that
> snort will not see this as a portscan.
> 
> Any pointers/ideas ?
> 
> i am running snort as 
> ./snort -i eth1 -h A.B.C.0/16 -c snort.conf -l./LOGS/ -d
> 
> thanks
> ashley thomas
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas - 
> http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list