[Snort-users] portscan question

Darryl Cook dlc at ...6294...
Wed Apr 28 06:37:14 EDT 2004

A week or so ago I started noticing that my machine was being scanned a 
lot as reported by the snort portscanner.  I began investigating and 
behold a lot of the machines doing the scanning were in my area.   I 
work at a University in the Computer Science department where there are 
a lot of students.  The machines in question happen to be some of the 
grad students and one was even a professor.  So after  a lot of work I 
noticed that every time I received a scan that entry was also in the ftp 
logs as well.  The ports that they were scanning happen to be the same 
ports that the ftp daemon was supplying as the passive port back to the 
client.  I have tried to reproduce the problem using ftp to connect but 
cant for some unknown reason. 

My question is this:  Has anyone else noticed the portscanner picking up 
false readings from ftp connections?  Below is how I have the 
portscanner configured in the snort.conf file.  If you need other info 
please ask and I will gladly provide it.

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor portscan: $HOME_NET 4 20 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS

thanks for any insight.....

darryl cook

More information about the Snort-users mailing list