Snort mailing list archives

"portscans" that only hit one host, one time?

From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Fri, 9 Aug 2002 13:32:55 -0400

WHY oh why am I getting traffic logged as a "portscan" when such traffic
only comes from one source, and only happens once or twice?!  For example,
going through my portscan.log file, grepping for a particular SOURCE
address, I see:

Aug  9 11:48:39 204.210.241.146:2051 -> xxx.yyy.zzz.66:443 NOACK *2U*PRS*
Aug  9 11:48:46 204.210.241.146:2059 -> xxx.yyy.zzz.66:443 SYN ******S*

This is the ONLY place in my portscan.log that this source IP appears, and
it isn't nearly the 4 ports in 3 second limit set in my snort.conf!  Does
anyone have any idea why my logs are cluttered with these false positives?
For reference, associated snort.conf lines are:

preprocessor stream4: disable_evasion_alerts, noalerts, ttl_limit 175
preprocessor stream4_reassemble: clientonly, noalerts
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
preprocessor frag2

If anyone has any ideas, I'd be greatly appreciative.  Thanks!

Mike


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

"portscans" that only hit one host, one time? Cloppert, Michael (Aug 09)
- <Possible follow-ups>
- RE: "portscans" that only hit one host, one time? McCammon, Keith (Aug 09)
  - Re: "portscans" that only hit one host, one time? Vinay A. Mahadik (Aug 09)