[Snort-users] Understanding spp_portscan2 results

Domingos Costa domingos at ...8848...
Fri Apr 11 08:16:02 EDT 2003


I wanna understand this kind of results from spp_portscan2 preprocessor:

#1-3209246| [2003-04-11 10:54:56] XXX.XXX.XXX.XXX:1443 -> XXX.XXX.XXX.XXX:3462 [snort/1] 
(spp_portscan2) Portscan detected
from XXX.XXX.XXX.XXX: 4 targets 21 ports in 51 seconds


First: it said "4 targets" but it shown only one connection (XXX.XXX.XXX.XXX:1443 ->
XXX.XXX.XXX.XXX:3462). So where are the other 3 target hosts?

Second: it said "21 ports" but it shown only one src port and dst. Can i suppose that ip
XXX.XXX.XXX.XXX scanned only this dst port 21 times?

Probably, i`m making some confusion about this kind of log. So ,help me out.

Thanks in advance,


Domingos Costa
domingos at ...8848...




More information about the Snort-users mailing list