Snort mailing list archives
RE: spp_portscan
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Fri, 22 Jun 2001 08:34:16 -0700
spp == Snort Preprocessor Plugin portscan == Snort Portscan Plugin This alert was not generated by a rule, therefore no packets were captured to log. The alert was generated by a seperate program that comes with snort. In snort.conf look for a line like: preprocessor portscan: $HOME_NET 10 3 portscan.log Which says alert on any external system hitting systems in $HOME_NET at a rate greater than or equal to 10 systems in 3 seconds (these two numbers may be different in your config). -----Original Message----- From: niko () digitalenigma com [mailto:niko () digitalenigma com] Sent: Friday, June 22, 2001 08:17 To: snort-users () lists sourceforge net Subject: [Snort-users] spp_portscan Since putting this firewall up I have been receiving a barage of alerts with the following information. It doesn't seem to give me much to go on and I have been unable to find any decent info about what exactly an spp_portscan is. Plus I find it extremely odd that there is no source or destination info short of what shows up in the "Triggered Signature" section of ACID. Also, there is no payload info. Maybe I am missing something obvious but would greatly appreciate any light anyone can shed on this issue. Thank you, Niko #1-(39-908) spp_portscan: portscan status from my.dns.server.ip: 1 connections across 1 hosts: TCP(0), UDP(1) 2001-06-22 10:45:18 unknown unknown IP _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan niko (Jun 22)
- <Possible follow-ups>
- RE: spp_portscan Kevin Brown (Jun 22)