[Snort-users] Understanding spp_portscan2 results

Sasa Jusic sjusic at ...8898...
Wed Apr 16 06:42:34 EDT 2003


Hi Domingos,	

This is a really good question. Reviewing the Snort results I have noticed
then same problem. From those alerts it is definitely not clear what was
really scanned.

I would really appreciate if someone could explain what this really mean.

Best regards,

Sasa Jusic
Sasa.jusic at ...7849...
Laboratory for Systems and Signals, http://www.lss.hr


:> -----Original Message-----
:> From: snort-users-admin at lists.sourceforge.net
:> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Domingos
:> Costa
:> Sent: 11. travanj 2003 17:07
:> To: snort-users at lists.sourceforge.net
:> Subject: [Snort-users] Understanding spp_portscan2 results
:> 
:> 
:> I wanna understand this kind of results from spp_portscan2 
:> preprocessor:
:> 
:> #1-3209246| [2003-04-11 10:54:56] XXX.XXX.XXX.XXX:1443 -> 
:> XXX.XXX.XXX.XXX:3462 [snort/1] 
:> (spp_portscan2) Portscan detected
:> from XXX.XXX.XXX.XXX: 4 targets 21 ports in 51 seconds
:> 
:> 
:> First: it said "4 targets" but it shown only one connection 
:> (XXX.XXX.XXX.XXX:1443 ->
:> XXX.XXX.XXX.XXX:3462). So where are the other 3 target hosts?
:> 
:> Second: it said "21 ports" but it shown only one src port 
:> and dst. Can i suppose that ip
:> XXX.XXX.XXX.XXX scanned only this dst port 21 times?
:> 
:> Probably, i`m making some confusion about this kind of log. 
:> So ,help me out.
:> 
:> Thanks in advance,
:> 
:> 
:> Domingos Costa
:> domingos at ...8848...
:> 
:> 
:> -------------------------------------------------------
:> This SF.net email is sponsored by: Etnus, makers of 
:> TotalView, The debugger 
:> for complex code. Debugging C/C++ programs can leave you 
:> feeling lost and 
:> disoriented. TotalView can help you find your way. Available 
:> on major UNIX 
:> and Linux platforms. Try it free. www.etnus.com
:> _______________________________________________
:> Snort-users mailing list
:> Snort-users at lists.sourceforge.net
:> Go to this URL to change user options or unsubscribe:
:> https://lists.sourceforge.net/lists/listinfo/snort-users
:> Snort-users list archive:
:> http://www.geocrawler.com/redir-sf.php3?list=snort-users
:> 




More information about the Snort-users mailing list