Snort mailing list archives
FTP seen as portscan?
From: "Stephen C Burns" <sburns () farpointer net>
Date: Wed, 27 Jun 2001 10:03:00 -0500
Hi all, I note several entries like the following in my /var/log/snort/alert file. These connections are verified as FTP traffic. [**] spp_portscan: PORTSCAN DETECTED from x.x.x.x (THRESHOLD 4 connections exceeded in 5 seconds) [**] 06/22-14:21:44.903196 [**] spp_portscan: portscan status from x.x.x.x: 13 connections across 1 hosts: TCP(13), UDP(0) [**] 06/22-14:21:48.357479 [**] spp_portscan: portscan status from x.x.x.x: 3 connections across 1 hosts: TCP(3), UDP(0) [**] 06/22-14:22:03.874738 [**] spp_portscan: portscan status from x.x.x.x: 5 connections across 1 hosts: TCP(5), UDP(0) [**] 06/22-14:22:07.083497 [**] spp_portscan: portscan status from x.x.x.x4: 9 connections across 1 hosts: TCP(9), UDP(0) [**] 06/22-14:22:11.200503 [**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1 hosts: TCP(9), UDP(0) [**] 06/22-14:22:15.096514 [**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1 hosts: TCP(9), UDP(0) [**] 06/22-14:22:30.009806 [**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 06/22-14:22:35.086806 [**] spp_portscan: End of portscan from x.x.x.x: TOTAL time(51s) hosts(1) TCP(49) UDP(0) [**] 06/22-14:22:42.980293 I realize why FTP could possibly trigger this, but is there a logic in snort that would allow me to turn this off (other than removing the port scan rule, of course). TIA! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FTP seen as portscan? Stephen C Burns (Jun 27)
- <Possible follow-ups>
- Re: FTP seen as portscan? Paul Murphy (Jun 27)
- RE: FTP seen as portscan? Stephen C Burns (Jun 27)