Snort mailing list archives

Understanding spp_portscan2 results

From: Domingos Costa <domingos () microlink com br>
Date: Fri, 11 Apr 2003 12:07:16 -0300

I wanna understand this kind of results from spp_portscan2 preprocessor:

#1-3209246| [2003-04-11 10:54:56] XXX.XXX.XXX.XXX:1443 -> XXX.XXX.XXX.XXX:3462 [snort/1] 
(spp_portscan2) Portscan detected
from XXX.XXX.XXX.XXX: 4 targets 21 ports in 51 seconds


First: it said "4 targets" but it shown only one connection (XXX.XXX.XXX.XXX:1443 ->
XXX.XXX.XXX.XXX:3462). So where are the other 3 target hosts?

Second: it said "21 ports" but it shown only one src port and dst. Can i suppose that ip
XXX.XXX.XXX.XXX scanned only this dst port 21 times?

Probably, i`m making some confusion about this kind of log. So ,help me out.

Thanks in advance,


Domingos Costa
domingos () microlink com br


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Understanding spp_portscan2 results Domingos Costa (Apr 11)
- <Possible follow-ups>
- RE: Understanding spp_portscan2 results Sasa Jusic (Apr 16)