Snort mailing list archives
RE: TCP ******S* portscan
From: Marcel Hauser <marcel_hauser () gmx ch>
Date: Sat, 6 Apr 2002 01:11:23 -0100
Quoting Andrew Blevins <ABlevins () arrowheadgrp com>:
This is a SYN scan, with sets a flag that some firewalls will allow to pass. That may be the issue. Feel free to brutally correct me if I'm wrong (which I prob am!) Happy Hunting
Another question about that... as i'am doing dnat (external IP:80 --> internal IP:80)... why is snort only reporting a portscan to my internal webserver? and for example not to my dns server as a second host also ? (which runs on a different machine in my internal network) And thats strange either: Apr 5 15:51:44 195.186.255.2:3619 -> y.y.y.y:45445 SYN ******S* Apr 5 15:51:45 195.186.255.2:3620 -> y.y.y.y:45446 SYN ******S* Apr 5 15:51:46 195.186.255.2:3621 -> y.y.y.y:45448 SYN ******S* Apr 5 15:52:08 195.186.255.2:3630 -> y.y.y.y:80 SYN ******S* first all those 45445 and so on destination ports were scanned, and at the end it "jumps" five times to port 80 ? Cheers Marcel _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Hauser Marcel (Apr 05)
- Message not available
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan "SOLVED" Marcel Hauser (Apr 06)
- Re: TCP ******S* portscan Matt Kettler (Apr 05)
- Re: TCP ******S* portscan Ricardo SIGNES (Apr 05)
- <Possible follow-ups>
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)
- RE: TCP ******S* portscan Hauser Marcel (Apr 05)
- RE: TCP ******S* portscan Marcel Hauser (Apr 05)
- Re: TCP ******S* portscan Chris Keladis (Apr 05)
- RE: TCP ******S* portscan Andrew Blevins (Apr 05)