Snort mailing list archives
"portscans" that only hit one host, one time?
From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Fri, 9 Aug 2002 13:32:55 -0400
WHY oh why am I getting traffic logged as a "portscan" when such traffic only comes from one source, and only happens once or twice?! For example, going through my portscan.log file, grepping for a particular SOURCE address, I see: Aug 9 11:48:39 204.210.241.146:2051 -> xxx.yyy.zzz.66:443 NOACK *2U*PRS* Aug 9 11:48:46 204.210.241.146:2059 -> xxx.yyy.zzz.66:443 SYN ******S* This is the ONLY place in my portscan.log that this source IP appears, and it isn't nearly the 4 ports in 3 second limit set in my snort.conf! Does anyone have any idea why my logs are cluttered with these false positives? For reference, associated snort.conf lines are: preprocessor stream4: disable_evasion_alerts, noalerts, ttl_limit 175 preprocessor stream4_reassemble: clientonly, noalerts preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS preprocessor frag2 If anyone has any ideas, I'd be greatly appreciative. Thanks! Mike ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "portscans" that only hit one host, one time? Cloppert, Michael (Aug 09)
- <Possible follow-ups>
- RE: "portscans" that only hit one host, one time? McCammon, Keith (Aug 09)
- Re: "portscans" that only hit one host, one time? Vinay A. Mahadik (Aug 09)