[Snort-users] postscan

Jeff Kell jeff-kell at ...6282...
Thu Sep 15 06:46:37 EDT 2005


Paul Melson wrote:
> I can't easily find the specific detection techniques used to generate these
> alerts, but this is sfportscan thinking it's detected a UDP port scan where
> multiple IPs are involved in a single scan of your network (distributed) or
> where the source IPs have been spoofed (decoy).

I don't know about the original environment, but P2P programs will drive portscan detectors absolutely nuts when they "search" peers for a target.

Jeff





More information about the Snort-users mailing list