[Snort-users] portscan question
dlc at ...6294...
Wed Apr 28 08:08:07 EDT 2004
I did some more testing and *was* able to reproduce the problem. If you
put wsftp in passive mode and transfer several files in a row to the
snort server, it generates a false positive portscan. Anyone know how
to correct this?
Darryl Cook wrote:
> A week or so ago I started noticing that my machine was being scanned
> a lot as reported by the snort portscanner. I began investigating and
> behold a lot of the machines doing the scanning were in my area. I
> work at a University in the Computer Science department where there
> are a lot of students. The machines in question happen to be some of
> the grad students and one was even a professor. So after a lot of
> work I noticed that every time I received a scan that entry was also
> in the ftp logs as well. The ports that they were scanning happen to
> be the same ports that the ftp daemon was supplying as the passive
> port back to the client. I have tried to reproduce the problem using
> ftp to connect but cant for some unknown reason.
> My question is this: Has anyone else noticed the portscanner picking
> up false readings from ftp connections? Below is how I have the
> portscanner configured in the snort.conf file. If you need other info
> please ask and I will gladly provide it.
> preprocessor stream4: detect_scans, disable_evasion_alerts
> preprocessor portscan: $HOME_NET 4 20 /var/log/snort/portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> thanks for any insight.....
> darryl cook
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle
> 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users