Snort mailing list archives
Re: Interesting entries in BASE
From: Joel Esler <joel.esler () sourcefire com>
Date: Sun, 26 Feb 2006 18:59:46 -0500
That entry is from the sfportscan preprocessor. You can enable, tune, or disable this preprocessor via your snort.conf
Joel On Feb 26, 2006, at 6:11 PM, CasperLinux wrote:
This evening I'm evaluating the success of my newly created .htaccess file andfound that I have several portscan entries originating from within mynetwork. Destination is both inside and outside my local LAN. Below is the payload from one of these events. Does anyone have any input as to what may be causing this? I am NOT running any portscan program that I am aware of.length = 140000 : 50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count: 010 : 39 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 9.Connection Cou 020 : 6E 74 3A 20 35 0A 49 50 20 43 6F 75 6E 74 3A 20 nt: 5.IP Count: 030 : 35 0A 53 63 61 6E 6E 65 64 20 49 50 20 52 61 6E 5.Scanned IP Ran 040 : 67 65 3A 20 31 39 32 2E 31 36 38 2E 30 2E 34 32 ge: 192.168.0.42 050 : 3A 36 34 2E 31 35 34 2E 38 30 2E 32 35 34 0A 50 : 64.154.80.254.P 060 : 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 75 6E 74 3A ort/Proto Count: 070 : 20 35 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 52 61 5.Port/ Proto Ra080 : 6E 67 65 3A 20 32 31 3A 34 34 33 0A nge: 21:443. Don -- - Powered by Debian Linux - -------------------------------------------------------This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel? cmd=lnk&kid=110944&bid=241720&dat=121642_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Interesting entries in BASE CasperLinux (Feb 26)
- Re: Interesting entries in BASE Joel Esler (Feb 26)
- Re: Interesting entries in BASE CasperLinux (Feb 26)
- Re: Interesting entries in BASE Joel Esler (Feb 26)