Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Portscan from own interface

From: Subba Rao <subba9 () home com>
Date: Wed, 16 May 2001 06:55:10 +0000
On  0, Midnight shadow <p.selder () freeler nl> wrote:

On Wednesday 16 May 2001 07:37, Subba Rao wrote:



I am seeing similar messages in my snort logs. I hope it is only spoofing
and not that my machine has been compromised.


I found out what was the cause with my machine.
When someone made a connection thru the firewall to surf the web these 
messages were generated because I removed a few ports from the pre-prosessor. 
I removed port 80 and 443 for instance.
Now I added them back and the logs are quit now. (except for a real portscan)

Hope this helps


[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1
hosts: TCP(1), UDP(0) [**] 05/16-05:19:37.397711





Thank you for replying. These entries in my logs were from last night. I don't
think I had my browser open (which does update news pretty frequently). The
preprocessor statements I have are,

preprocessor http_decode: 80 8080
preprocessor minfrag: 128

How can I find out from the "spp_portscan" log message, which ports are
involved?

Thank you once again.
-- 

Subba Rao
subba9 () home com
http://members.home.net/subba9/

GPG public key ID 27FC9217

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: