portscan question

[Darryl Cook <dlc () cs appstate edu>]

A week or so ago I started noticing that my machine was being scanned a 
lot as reported by the snort portscanner.  I began investigating and 
behold a lot of the machines doing the scanning were in my area.   I 
work at a University in the Computer Science department where there are 
a lot of students.  The machines in question happen to be some of the 
grad students and one was even a professor.  So after  a lot of work I 
noticed that every time I received a scan that entry was also in the ftp 
logs as well.  The ports that they were scanning happen to be the same 
ports that the ftp daemon was supplying as the passive port back to the 
client.  I have tried to reproduce the problem using ftp to connect but 
cant for some unknown reason. 

My question is this:  Has anyone else noticed the portscanner picking up 
false readings from ftp connections?  Below is how I have the 
portscanner configured in the snort.conf file.  If you need other info 
please ask and I will gladly provide it.

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor portscan: $HOME_NET 4 20 /var/log/snort/portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS

thanks for any insight.....

darryl cook


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users