Snort mailing list archives
Re: Portscan from own interface
From: Midnight shadow <p.selder () freeler nl>
Date: Wed, 16 May 2001 13:30:31 +0200
preprocessor http_decode: 80 8080 preprocessor minfrag: 128
I you snort 1.8 beta xx, so my snort.conf and pre-processor rules are different. My pre-processor line from snort.conf looks like this: preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
How can I find out from the "spp_portscan" log message, which ports are involved?
I looked in the portscan.log file which is the output from the portscan pre-processor. The output looks like this: May 14 11:39:49 x.x.x.x:55537 -> 212.72.39.210:80 SYN ******S* Thats where I got the idea that my firewall was making a normal connection to a website or the like.
Thank you once again.
You're welcome. Patrick -- ZZzz |\ _,,,---,,_ /,`.-'`' -. ;-;;,_ |,4- ) )-,_..;\ ( `'-' '---''(_/--' `-'\_) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan from own interface Midnight shadow (May 10)
- RE: Portscan from own interface Fernando Cardoso (May 10)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- RE: Portscan from own interface John Berkers (May 16)