Snort mailing list archives

Re: Portscan from own interface

From: Midnight shadow <p.selder () freeler nl>
Date: Wed, 16 May 2001 13:30:31 +0200

preprocessor http_decode: 80 8080
preprocessor minfrag: 128


I you snort 1.8 beta xx, so my snort.conf and pre-processor rules are 
different.

My pre-processor line from snort.conf looks like this:
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384

How can I find out from the "spp_portscan" log message, which ports are
involved?


I looked in the portscan.log file which is the output from the portscan 
pre-processor. The output looks like this:

May 14 11:39:49 x.x.x.x:55537 -> 212.72.39.210:80 SYN ******S*

Thats where I got the idea that my firewall was making a normal connection to 
a website or the like.


Thank you once again.


You're welcome.

Patrick

-- 
 ZZzz   |\      _,,,---,,_
        /,`.-'`'                  -.  ;-;;,_
       |,4-  ) )-,_..;\ (  `'-'
      '---''(_/--'  `-'\_)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscan from own interface Midnight shadow (May 10)
- RE: Portscan from own interface Fernando Cardoso (May 10)
- Re: Portscan from own interface Subba Rao (May 16)
  - Re: Portscan from own interface Midnight shadow (May 16)
    - Re: Portscan from own interface Subba Rao (May 16)
    - Re: Portscan from own interface Midnight shadow (May 16)
  - RE: Portscan from own interface John Berkers (May 16)