pmelson at ...11827...
Thu Sep 15 06:26:24 EDT 2005
I can't easily find the specific detection techniques used to generate these
alerts, but this is sfportscan thinking it's detected a UDP port scan where
multiple IPs are involved in a single scan of your network (distributed) or
where the source IPs have been spoofed (decoy).
Being that they're UDP "scans," I would think it may be a false positive
triggered by SQL worm traffic, DNS traffic, or something else along those
lines. Tough to say without seeing the specific src/dst info for those
Subject: [Snort-users] postscan
I am seeing several of the below and am wondering what this is:
* UDP Distributed Portscan
* UDP Decoy Portscan
More information about the Snort-users