[Snort-users] Understanding spp_portscan2 results
sjusic at ...8898...
Wed Apr 16 06:42:34 EDT 2003
This is a really good question. Reviewing the Snort results I have noticed
then same problem. From those alerts it is definitely not clear what was
I would really appreciate if someone could explain what this really mean.
Sasa.jusic at ...7849...
Laboratory for Systems and Signals, http://www.lss.hr
:> -----Original Message-----
:> From: snort-users-admin at lists.sourceforge.net
:> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Domingos
:> Sent: 11. travanj 2003 17:07
:> To: snort-users at lists.sourceforge.net
:> Subject: [Snort-users] Understanding spp_portscan2 results
:> I wanna understand this kind of results from spp_portscan2
:> #1-3209246| [2003-04-11 10:54:56] XXX.XXX.XXX.XXX:1443 ->
:> XXX.XXX.XXX.XXX:3462 [snort/1]
:> (spp_portscan2) Portscan detected
:> from XXX.XXX.XXX.XXX: 4 targets 21 ports in 51 seconds
:> First: it said "4 targets" but it shown only one connection
:> (XXX.XXX.XXX.XXX:1443 ->
:> XXX.XXX.XXX.XXX:3462). So where are the other 3 target hosts?
:> Second: it said "21 ports" but it shown only one src port
:> and dst. Can i suppose that ip
:> XXX.XXX.XXX.XXX scanned only this dst port 21 times?
:> Probably, i`m making some confusion about this kind of log.
:> So ,help me out.
:> Thanks in advance,
:> Domingos Costa
:> domingos at ...8848...
:> This SF.net email is sponsored by: Etnus, makers of
:> TotalView, The debugger
:> for complex code. Debugging C/C++ programs can leave you
:> feeling lost and
:> disoriented. TotalView can help you find your way. Available
:> on major UNIX
:> and Linux platforms. Try it free. www.etnus.com
:> Snort-users mailing list
:> Snort-users at lists.sourceforge.net
:> Go to this URL to change user options or unsubscribe:
:> Snort-users list archive:
More information about the Snort-users