[Snort-users] postscan

Paul Melson pmelson at ...11827...
Thu Sep 15 06:26:24 EDT 2005

I can't easily find the specific detection techniques used to generate these
alerts, but this is sfportscan thinking it's detected a UDP port scan where
multiple IPs are involved in a single scan of your network (distributed) or
where the source IPs have been spoofed (decoy).

Being that they're UDP "scans," I would think it may be a false positive
triggered by SQL worm traffic, DNS traffic, or something else along those
lines.  Tough to say without seeing the specific src/dst info for those
alerts, though.



Subject: [Snort-users] postscan

I am seeing several of the below and am wondering what this is:

*	UDP Distributed Portscan 
*	UDP Decoy Portscan 


More information about the Snort-users mailing list