RE: TCP ******S* portscan

[Marcel Hauser <marcel_hauser () gmx ch>]

Quoting Andrew Blevins <ABlevins () arrowheadgrp com>:

> This is a SYN scan, with sets a flag that some firewalls will allow to
> pass.
> That may be the issue.
> Feel free to brutally correct me if I'm wrong (which I prob am!)
> Happy Hunting
Another question about that... as i'am doing dnat (external IP:80 --> internal 
IP:80)... why is snort only reporting a portscan to my internal webserver? and 
for example not to my dns server as a second host also ? (which runs on a 
different machine in my internal network)

And thats strange either:

Apr 5 15:51:44 195.186.255.2:3619 -> y.y.y.y:45445 SYN ******S* 
Apr 5 15:51:45 195.186.255.2:3620 -> y.y.y.y:45446 SYN ******S* 
Apr 5 15:51:46 195.186.255.2:3621 -> y.y.y.y:45448 SYN ******S* 
Apr 5 15:52:08 195.186.255.2:3630 -> y.y.y.y:80 SYN ******S* 

first all those 45445 and so on destination ports were scanned, and at the end 
it "jumps" five times to port 80 ?

Cheers Marcel

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users