Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Finding out more info ...

From: Stuart Grimshaw <stuart () smgsystems co uk>
Date: Wed, 9 Jan 2002 15:41:18 +0000
I get very few alerts from Snort, and even fewer that aren't something to do 
with Codered, but when I do get them I like to try and at least bone up on 
what they are & what might be causing them, so ...

1) Is there an alternative to whitehats?

or ...

2) What might be causing this (from Demarc)...

DS ALERT at: 2002-01-09 15:03:22
SIGNATURE: spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 305
SRC IP: 24.201.12.2
DST IP: 212.56.92.26
______________________________
IDS ALERT at: 2002-01-09 15:04:14
SIGNATURE: spp_portscan: PORTSCAN DETECTED to port 22 from 24.201.12.2 
(STEALTH)
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 306
SRC IP: 0.0.0.0
DST IP: 0.0.0.0
______________________________
IDS ALERT at: 2002-01-09 15:05:08
SIGNATURE: spp_portscan: portscan status from 24.201.12.2: 2 connections 
across 1 hosts: TCP(2), UDP(0) STEALTH
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 307
SRC IP: 0.0.0.0
DST IP: 0.0.0.0
______________________________

IDS ALERT at: 2002-01-09 15:04:14
SIGNATURE: spp_portscan: PORTSCAN DETECTED to port 22 from 24.201.12.2 
(STEALTH)
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 306
SRC IP: 0.0.0.0
DST IP: 0.0.0.0
______________________________

IDS ALERT at: 2002-01-09 15:05:08
SIGNATURE: spp_portscan: portscan status from 24.201.12.2: 2 connections 
across 1 hosts: TCP(2), UDP(0) STEALTH
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 307
SRC IP: 0.0.0.0
DST IP: 0.0.0.0
______________________________
IDS ALERT at: 2002-01-09 15:07:10
SIGNATURE: spp_portscan: End of portscan from 24.201.12.2: TOTAL time(4s) 
hosts(1) TCP(2) UDP(0) STEALTH
HOST: xxx.xxx.xxx.xxx
SID: 1
CID: 308
SRC IP: 0.0.0.0
DST IP: 0.0.0.0

-- 

| Stuart Grimshaw <stuart () footballnet com>
| Chief Operations Officer
| Football Networks Ltd
|-
| t:07976 625221
| f:0870 7060260

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: