Snort mailing list archives
Re: portscan log...
From: "Edwin Pua" <edwin1118 () hotmail com>
Date: Fri, 01 Feb 2002 09:24:00 +0000
ah ok...but noticed that my alert file shows a lot of spp_portscan packets...are they all false positive alarms? how will i stop this?
sorry, as i am still new to snort. thankful for your response.02/01-17:12:01.113781 [**] [100:2:1] spp_portscan: portscan status from 192.168.1.66: 4 connections across 4 hosts: TCP(0), UDP(4) [**] 02/01-17:12:01.113865 [**] [100:2:1] spp_portscan: portscan status from 192.168.2.20: 2 connections across 2 hosts: TCP(0), UDP(2) [**] 02/01-17:12:02.122956 [**] [100:2:1] spp_portscan: portscan status from 192.168.1.12: 5 connections across 5 hosts: TCP(0), UDP(5) [**] 02/01-17:12:03.122865 [**] [100:2:1] spp_portscan: portscan status from 173.42.4.5: 2 connections across 2 hosts: TCP(0), UDP(2) [**] 02/01-17:12:03.122933 [**] [100:2:1] spp_portscan: portscan status from 172.42.4.8: 3 connections across 3 hosts: TCP(3), UDP(0) [**]
.... rgds, Edwin
From: John Sage <jsage () finchhaven com> To: Edwin Pua <edwin1118 () hotmail com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] portscan log... Date: Thu, 31 Jan 2002 06:42:45 -0800 On Thu, Jan 31, 2002 at 06:45:46AM +0000, Edwin Pua wrote: > > Hi Joe, >> ok thanx for the explanation..but how am i gonna know that he was already > connected to my tcp port? or i was being attacked/hacked by this source ip?> i'm using the default rules in my snort box. If all you ever see are SYN packets from that IP, he's never connected.A finished connection is a SYN coming in to you, you sending an ACK/SYN back out to him, and him sending an ACK/SYN back to you.Only *then* is the connection established.May I recommend "TCP/IP Illustrated, vol.1 WR Stevens, Addison-Wesley pubs....read that. It'll make a *lot* of stuff more understandable. - John -- Most people don't type their own logfiles; but, what do I care?
_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan log... Edwin Pua (Jan 30)
- Re: portscan log... Joe McAlerney (Jan 30)
- Re: portscan log... Demetri Mouratis (Jan 31)
- <Possible follow-ups>
- Re: portscan log... Edwin Pua (Jan 30)
- Re: portscan log... John Sage (Jan 31)
- Re: portscan log... Joe McAlerney (Jan 31)
- Re: portscan log... Edwin Pua (Feb 01)