Snort mailing list archives

Previous By Date Next
Previous By Thread Next

False Portscan Alarms

From: "Charles Darwin" <darwin () netmadeira com>
Date: Sun, 16 Feb 2003 23:11:59 -0000
Snort is always firing those false alarms caused by portscan 2.
Apparently it does not knows how to distinguish between a response for a web
page request and a true portscan.
Is there any way to correct this?

Paulo Santos Perneta <pperneta () netmadeira com>


[Snort logs]

[**] [117:1:1] (spp_portscan2) Portscan detected from 80.71.6.131: 1 targets
21 ports in 14 seconds [**]
02/14-23:12:40.401802 80.71.6.131:80 -> 213.190.213.207:3242
TCP TTL:63 TOS:0x0 ID:52190 IpLen:20 DgmLen:44
***A**S* Seq: 0x46F5731D  Ack: 0xB093DC71  Win: 0xFFFF  TcpLen: 24
TCP Options (1) => MSS: 1460

02/14-23:12:40.401802  TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80
dport: 3242 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
02/14-23:12:40.840447  TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80
dport: 3243 tgts: 1 ports: 22 flags: ***A**S* event_id: 2357
02/14-23:12:41.291118  TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80
dport: 3244 tgts: 1 ports: 23 flags: ***A**S* event_id: 2357
02/14-23:12:41.690317  TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80
dport: 3245 tgts: 1 ports: 24 flags: ***A**S* event_id: 2357
02/14-23:12:42.271349  TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80
dport: 3246 tgts: 1 ports: 25 flags: ***A**S* event_id: 2357
02/14-23:12:42.801589  TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80
dport: 3247 tgts: 1 ports: 26 flags: ***A**S* event_id: 2357
02/14-23:12:43.117279  TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80
dport: 3248 tgts: 1 ports: 27 flags: ***A**S* event_id: 2357




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: