Snort mailing list archives

Re: FTP seen as portscan?

From: "Paul Murphy" <paul.murphy () crestco co uk>
Date: Wed, 27 Jun 2001 16:23:47 +0100


Hmm... what is this...  Getright or some other ftp multiconnector?

"Stephen C Burns" <sburns () farpointer net> 6/27/2001 04:03:00 pm >>>


Hi all, 

I note several entries like the following in my /var/log/snort/alert
file.  These connections are verified as FTP traffic.

[**] spp_portscan: PORTSCAN DETECTED from x.x.x.x (THRESHOLD 4
connections exceeded in 5 seconds) [**]
06/22-14:21:44.903196 
[**] spp_portscan: portscan status from x.x.x.x: 13 connections across 1
hosts: TCP(13), UDP(0) [**]
06/22-14:21:48.357479 
[**] spp_portscan: portscan status from x.x.x.x: 3 connections across 1
hosts: TCP(3), UDP(0) [**]
06/22-14:22:03.874738 
[**] spp_portscan: portscan status from x.x.x.x: 5 connections across 1
hosts: TCP(5), UDP(0) [**]
06/22-14:22:07.083497 
[**] spp_portscan: portscan status from x.x.x.x4: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:11.200503 
[**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:15.096514 
[**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:30.009806 
[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1
hosts: TCP(1), UDP(0) [**]
06/22-14:22:35.086806
[**] spp_portscan: End of portscan from x.x.x.x: TOTAL time(51s)
hosts(1) TCP(49) UDP(0) [**]
06/22-14:22:42.980293 

I realize why FTP could possibly trigger this, but is there a logic in
snort that would allow me to turn this off (other than removing the port
scan rule, of course).  TIA!


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



---------------------------------------------------------------------------------------------------------------------------
CRESTCo Ltd.             The views expressed above are not necessarily those
33 Cannon Street.        held by CRESTCo Limited.
London  EC4M 5SB (UK)      
+44 (020) 7849 0000     http://www.crestco.co.uk 
---------------------------------------------------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

FTP seen as portscan? Stephen C Burns (Jun 27)
- <Possible follow-ups>
- Re: FTP seen as portscan? Paul Murphy (Jun 27)
- RE: FTP seen as portscan? Stephen C Burns (Jun 27)