Snort mailing list archives
Portscan2 woes
From: "Robin Brown" <robin_brown () totalcomm com>
Date: Fri, 2 May 2003 12:04:27 -0400
I'd like to use it, but I keep getting alerted on what looks like normal return web traffic: 05/02-08:27:27.107257 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80 dport: 47493 tgts: 1 ports: 11 flags: ***A**S* event_id: 0 05/02-08:27:27.108731 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80 dport: 47494 tgts: 1 ports: 12 flags: ***A**S* event_id: 110167 05/02-08:28:03.059478 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80 dport: 47484 tgts: 1 ports: 11 flags: ***A*R** event_id: 0 I have the snort distribution provided by Demarc as they have their own set of patches for use with a database: -*> Snort! <*- Version 2.0.0-db (Build 72) Snort.conf settings: preprocessor conversation: allowed_ip_protocols 1 6 7 50 51 47, timeout 60, max_conversations 32000 preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 preprocessor portscan2-ignorehosts: 10.10.10.0/24 I also tried to use the alert_odd_protocols in the conversation preprocessor, but that generated alerts on what appeared to be normal UDP traffic. Any hints? Thanks and regards, Robin ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan2 woes Robin Brown (May 02)
- Re: Portscan2 woes Matt Kettler (May 02)
- Re: Portscan2 woes Erek Adams (May 02)
- <Possible follow-ups>
- FW: Portscan2 woes Gavin Lowe (May 02)
- FW: Portscan2 woes Robin Brown (May 02)
- Re: Portscan2 woes Matt Kettler (May 02)