[Snort-users] portscan2 and conversation

Denny Page denny at ...10070...
Sat Sep 13 16:03:03 EDT 2003


Ok, dumb question time.

I have portscan2 set up to ignore hosts from my local network.  This appears
to work fine for both TCP and UDP.  I.E. no alerts from DNS activity, and no
alerts from nmaps within the network.  Nmaps from outside the network
trigger alerts as you would expect.  This is all desirable.

What is not desirable is that alerts are being triggered by outbound HTTP
requests.  When visiting a site that is comprised of many individual files
such as graphic navigation bars (www.securityfocus.com is one such) ,
portscan2 reports that the remote HTTP server is executing a portscan on the
machine running the browser.

Portscan2 appears to be triggering on the inbound SYN-ACK that the HTTP
server sends in response to the SYN from the browser.  Since the SYN-ACK is
being in response to a connection (conversation) initiated by a portscan2
ignored host, I would not expect it to trigger an alert.  Isn't this what
conversation is for?

Am I missing something, or is portscan2 goofy?

Thanks for any assistance,

Denny





More information about the Snort-users mailing list