Snort mailing list archives
False Portscan Alarms
From: "Charles Darwin" <darwin () netmadeira com>
Date: Sun, 16 Feb 2003 23:11:59 -0000
Snort is always firing those false alarms caused by portscan 2. Apparently it does not knows how to distinguish between a response for a web page request and a true portscan. Is there any way to correct this? Paulo Santos Perneta <pperneta () netmadeira com> [Snort logs] [**] [117:1:1] (spp_portscan2) Portscan detected from 80.71.6.131: 1 targets 21 ports in 14 seconds [**] 02/14-23:12:40.401802 80.71.6.131:80 -> 213.190.213.207:3242 TCP TTL:63 TOS:0x0 ID:52190 IpLen:20 DgmLen:44 ***A**S* Seq: 0x46F5731D Ack: 0xB093DC71 Win: 0xFFFF TcpLen: 24 TCP Options (1) => MSS: 1460 02/14-23:12:40.401802 TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80 dport: 3242 tgts: 1 ports: 21 flags: ***A**S* event_id: 0 02/14-23:12:40.840447 TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80 dport: 3243 tgts: 1 ports: 22 flags: ***A**S* event_id: 2357 02/14-23:12:41.291118 TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80 dport: 3244 tgts: 1 ports: 23 flags: ***A**S* event_id: 2357 02/14-23:12:41.690317 TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80 dport: 3245 tgts: 1 ports: 24 flags: ***A**S* event_id: 2357 02/14-23:12:42.271349 TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80 dport: 3246 tgts: 1 ports: 25 flags: ***A**S* event_id: 2357 02/14-23:12:42.801589 TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80 dport: 3247 tgts: 1 ports: 26 flags: ***A**S* event_id: 2357 02/14-23:12:43.117279 TCP src: 80.71.6.131 dst: 213.190.213.207 sport: 80 dport: 3248 tgts: 1 ports: 27 flags: ***A**S* event_id: 2357 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False Portscan Alarms Charles Darwin (Feb 16)