Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Understanding spp_portscan2 results

From: Sasa Jusic <sjusic () pamela zesoi fer hr>
Date: Wed, 16 Apr 2003 11:58:47 +0200
Hi Domingos,    

This is a really good question. Reviewing the Snort results I have noticed
then same problem. From those alerts it is definitely not clear what was
really scanned.

I would really appreciate if someone could explain what this really mean.

Best regards,

Sasa Jusic
Sasa.jusic () zesoi fer hr
Laboratory for Systems and Signals, http://www.lss.hr


:> -----Original Message-----
:> From: snort-users-admin () lists sourceforge net
:> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Domingos
:> Costa
:> Sent: 11. travanj 2003 17:07
:> To: snort-users () lists sourceforge net
:> Subject: [Snort-users] Understanding spp_portscan2 results
:> 
:> 
:> I wanna understand this kind of results from spp_portscan2 
:> preprocessor:
:> 
:> #1-3209246| [2003-04-11 10:54:56] XXX.XXX.XXX.XXX:1443 -> 
:> XXX.XXX.XXX.XXX:3462 [snort/1] 
:> (spp_portscan2) Portscan detected
:> from XXX.XXX.XXX.XXX: 4 targets 21 ports in 51 seconds
:> 
:> 
:> First: it said "4 targets" but it shown only one connection 
:> (XXX.XXX.XXX.XXX:1443 ->
:> XXX.XXX.XXX.XXX:3462). So where are the other 3 target hosts?
:> 
:> Second: it said "21 ports" but it shown only one src port 
:> and dst. Can i suppose that ip
:> XXX.XXX.XXX.XXX scanned only this dst port 21 times?
:> 
:> Probably, i`m making some confusion about this kind of log. 
:> So ,help me out.
:> 
:> Thanks in advance,
:> 
:> 
:> Domingos Costa
:> domingos () microlink com br
:> 
:> 
:> -------------------------------------------------------
:> This SF.net email is sponsored by: Etnus, makers of 
:> TotalView, The debugger 
:> for complex code. Debugging C/C++ programs can leave you 
:> feeling lost and 
:> disoriented. TotalView can help you find your way. Available 
:> on major UNIX 
:> and Linux platforms. Try it free. www.etnus.com
:> _______________________________________________
:> Snort-users mailing list
:> Snort-users () lists sourceforge net
:> Go to this URL to change user options or unsubscribe:
:> https://lists.sourceforge.net/lists/listinfo/snort-users
:> Snort-users list archive:
:> http://www.geocrawler.com/redir-sf.php3?list=snort-users
:> 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: