Snort mailing list archives
RE: non privileged portscans
From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Wed, 17 Apr 2002 10:58:43 -0400
Addy,
i'm new and hadn't found the answer to the following problem: Apr 15 15:36:53 source-ip-address:1836 -> dest-ip-address:26112 SYN ******S* Apr 15 15:36:54 source-ip-address:1837 -> dest-ip-address:26117 SYN ******S* Apr 15 15:36:54 source-ip-address:1838 -> dest-ip-address:26126 SYN ******S* .... portscan-plugin logged these "portscans", but these are only non-privileged ports (>1024). I got over 5000 scanned ports from the same ip and all scanned non-privileged ports. I don't think, that a hacker tries to hijack a connection. - Is it a false alarm from the portscan-plugin of snort?
Doubtful..
- Can an application rise these portscan-alerts?
Yes, there are a few services/applications, DNS for example, that do tend to play havoc with the portscan preprocessor. But, I don't believe this is happening in your case.
- Is it possible to stop logging portscans where the scanned ports are over i.e. port 5000
Nope. Check the portscan section of your snort.conf for preprocessor options.
The options, my snort is running with: snort -A fast -b -c /etc/snort/snort.conf -d -D -e -g snort \ -G url -u snort -v
Keep in mind that there are a just a *few* trojans that live above port 1024 or 5000 for that matter. IMHO, this is most likely what attacker was probing for... - Jeff _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- non privileged portscans Eagle_2-7 (Apr 17)
- <Possible follow-ups>
- RE: non privileged portscans Wirth, Jeff (Apr 17)