[Snort-users] portscan2 and conversation

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Mon Sep 15 08:26:12 EDT 2003

I thought so too... but we've experiences the same thing.  I believe the
issue was that a valid connection counts, since if someone was scanning
they may make a valid connection and send data to make it look real.
The likely culprit is the lack of keepalives on the server, causing your
system to open a new connection for every item to download... thus
giving you a new local port and looking like that web server is
portscanning you.  You could do a portscan-ignoreports-from 80... but
then anyone knowing how to set their scanner from source pot 80 would
defeat you...

-----Original Message-----
From: Denny Page [mailto:denny at ...10070...] 
Sent: Saturday, September 13, 2003 6:03 PM
To: Snort Users
Subject: [Snort-users] portscan2 and conversation

Ok, dumb question time.

I have portscan2 set up to ignore hosts from my local network.  This
to work fine for both TCP and UDP.  I.E. no alerts from DNS activity,
and no
alerts from nmaps within the network.  Nmaps from outside the network
trigger alerts as you would expect.  This is all desirable.

What is not desirable is that alerts are being triggered by outbound
requests.  When visiting a site that is comprised of many individual
such as graphic navigation bars (www.securityfocus.com is one such) ,
portscan2 reports that the remote HTTP server is executing a portscan on
machine running the browser.

Portscan2 appears to be triggering on the inbound SYN-ACK that the HTTP
server sends in response to the SYN from the browser.  Since the SYN-ACK
being in response to a connection (conversation) initiated by a
ignored host, I would not expect it to trigger an alert.  Isn't this
conversation is for?

Am I missing something, or is portscan2 goofy?

Thanks for any assistance,


This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list