[Snort-users] portscan question

Darryl Cook dlc at ...6294...
Wed Apr 28 08:08:07 EDT 2004


I did some more testing and *was* able to reproduce the problem.  If you 
put wsftp in passive mode and transfer several files in a row to the 
snort server, it generates a false positive portscan.  Anyone know how 
to correct this?

darryl

Darryl Cook wrote:

> A week or so ago I started noticing that my machine was being scanned 
> a lot as reported by the snort portscanner.  I began investigating and 
> behold a lot of the machines doing the scanning were in my area.   I 
> work at a University in the Computer Science department where there 
> are a lot of students.  The machines in question happen to be some of 
> the grad students and one was even a professor.  So after  a lot of 
> work I noticed that every time I received a scan that entry was also 
> in the ftp logs as well.  The ports that they were scanning happen to 
> be the same ports that the ftp daemon was supplying as the passive 
> port back to the client.  I have tried to reproduce the problem using 
> ftp to connect but cant for some unknown reason.
> My question is this:  Has anyone else noticed the portscanner picking 
> up false readings from ftp connections?  Below is how I have the 
> portscanner configured in the snort.conf file.  If you need other info 
> please ask and I will gladly provide it.
>
> preprocessor stream4: detect_scans, disable_evasion_alerts
>
> preprocessor portscan: $HOME_NET 4 20 /var/log/snort/portscan.log
> preprocessor portscan-ignorehosts: $DNS_SERVERS
>
> thanks for any insight.....
>
> darryl cook
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 
> 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. 
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list