Snort mailing list archives
Re: Portscan from own interface
From: Subba Rao <subba9 () home com>
Date: Wed, 16 May 2001 06:55:10 +0000
On 0, Midnight shadow <p.selder () freeler nl> wrote:
On Wednesday 16 May 2001 07:37, Subba Rao wrote:I am seeing similar messages in my snort logs. I hope it is only spoofing and not that my machine has been compromised.I found out what was the cause with my machine. When someone made a connection thru the firewall to surf the web these messages were generated because I removed a few ports from the pre-prosessor. I removed port 80 and 443 for instance. Now I added them back and the logs are quit now. (except for a real portscan) Hope this helps[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/16-05:19:37.397711
Thank you for replying. These entries in my logs were from last night. I don't think I had my browser open (which does update news pretty frequently). The preprocessor statements I have are, preprocessor http_decode: 80 8080 preprocessor minfrag: 128 How can I find out from the "spp_portscan" log message, which ports are involved? Thank you once again. -- Subba Rao subba9 () home com http://members.home.net/subba9/ GPG public key ID 27FC9217 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan from own interface Midnight shadow (May 10)
- RE: Portscan from own interface Fernando Cardoso (May 10)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- RE: Portscan from own interface John Berkers (May 16)