[Snort-users] Port scans behind Firewall?

Paul Melson pmelson at ...11827...
Wed Jun 15 08:37:16 EDT 2005


James,

These aren't inbound scans, they're normal outbound traffic being
misinterpreted by the portscan2 preprocessor.  You should upgrade to Snort
2.3 and move from the portscan2 preprocessor to the flow & flow-portscan
preprocessors.  This will fix your problem with false-positive alerts for
portscans.

PaulM


-----Original Message-----
Subject: [Snort-users] Port scans behind Firewall?

06/13-15:29:43.021986  [**] [117:1:1] (spp_portscan2) Portscan detected from
204.227.127.209: 1 targets 21 ports in 1 seconds [**] {TCP}
204.227.127.209:80 -> 192.168.0.6:11423 06/13-15:30:54.461331  [**]
[117:1:1] 





More information about the Snort-users mailing list