Snort mailing list archives
portscan question
From: Darryl Cook <dlc () cs appstate edu>
Date: Wed, 28 Apr 2004 09:33:51 -0400
A week or so ago I started noticing that my machine was being scanned a lot as reported by the snort portscanner. I began investigating and behold a lot of the machines doing the scanning were in my area. I work at a University in the Computer Science department where there are a lot of students. The machines in question happen to be some of the grad students and one was even a professor. So after a lot of work I noticed that every time I received a scan that entry was also in the ftp logs as well. The ports that they were scanning happen to be the same ports that the ftp daemon was supplying as the passive port back to the client. I have tried to reproduce the problem using ftp to connect but cant for some unknown reason. My question is this: Has anyone else noticed the portscanner picking up false readings from ftp connections? Below is how I have the portscanner configured in the snort.conf file. If you need other info please ask and I will gladly provide it.
preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor portscan: $HOME_NET 4 20 /var/log/snort/portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS thanks for any insight..... darryl cook ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan question Darryl Cook (Apr 28)
- Re: portscan question Darryl Cook (Apr 28)
- Re: portscan question Matt Kettler (Apr 28)
- Re: portscan question Darryl Cook (Apr 28)