Snort mailing list archives

Previous By Date Next
Previous By Thread Next

non privileged portscans

From: TheEagleSociety () netscape net (Eagle_2-7)
Date: Wed, 17 Apr 2002 05:12:44 -0400
hi out there,

i'm new and hadn't found the answer to the following problem:

Apr 15 15:36:53 source-ip-address:1836 -> dest-ip-address:26112 SYN ******S*
Apr 15 15:36:54 source-ip-address:1837 -> dest-ip-address:26117 SYN ******S*
Apr 15 15:36:54 source-ip-address:1838 -> dest-ip-address:26126 SYN ******S*
....

portscan-plugin logged these "portscans", but these are only non-privileged ports (>1024). I got over 5000 scanned 
ports from the same ip and all scanned non-privileged ports.
I don't think, that a hacker tries to hijack a connection.

- Is it a false alarm from the portscan-plugin of snort? 
- Can an application rise these portscan-alerts?
- Is it possible to stop logging portscans where the scanned ports are
  over i.e. port 5000

The options, my snort is running with:
snort -A fast -b -c /etc/snort/snort.conf -d -D -e -g snort \
      -G url -u snort -v

Thanks

Addy


__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with 
Shop@Netscape! http://shopnow.netscape.com/

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: