[Snort-users] portscan question
dlc at ...6294...
Wed Apr 28 06:37:14 EDT 2004
A week or so ago I started noticing that my machine was being scanned a
lot as reported by the snort portscanner. I began investigating and
behold a lot of the machines doing the scanning were in my area. I
work at a University in the Computer Science department where there are
a lot of students. The machines in question happen to be some of the
grad students and one was even a professor. So after a lot of work I
noticed that every time I received a scan that entry was also in the ftp
logs as well. The ports that they were scanning happen to be the same
ports that the ftp daemon was supplying as the passive port back to the
client. I have tried to reproduce the problem using ftp to connect but
cant for some unknown reason.
My question is this: Has anyone else noticed the portscanner picking up
false readings from ftp connections? Below is how I have the
portscanner configured in the snort.conf file. If you need other info
please ask and I will gladly provide it.
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor portscan: $HOME_NET 4 20 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
thanks for any insight.....
More information about the Snort-users