Snort mailing list archives
RE: FTP seen as portscan?
From: "Stephen C Burns" <sburns () farpointer net>
Date: Wed, 27 Jun 2001 10:28:01 -0500
Great question. I know that this is an FTP connect because the source IP is the internet interface of my NAT router (server is colocated elsewhere) and my ftpd's logs reflect connection states that match up with these timestamps. However, I don't know what type of client this someone is using. I know that this person was only logged in once. -----Original Message----- From: Paul Murphy [mailto:paul.murphy () crestco co uk] Sent: Wednesday, June 27, 2001 10:24 AM To: sburns () farpointer net; snort-users () lists sourceforge net Subject: Re: [Snort-users] FTP seen as portscan? Hmm... what is this... Getright or some other ftp multiconnector?
"Stephen C Burns" <sburns () farpointer net> 6/27/2001 04:03:00 pm >>>
Hi all, I note several entries like the following in my /var/log/snort/alert file. These connections are verified as FTP traffic. [**] spp_portscan: PORTSCAN DETECTED from x.x.x.x (THRESHOLD 4 connections exceeded in 5 seconds) [**] 06/22-14:21:44.903196 [**] spp_portscan: portscan status from x.x.x.x: 13 connections across 1 hosts: TCP(13), UDP(0) [**] 06/22-14:21:48.357479 [**] spp_portscan: portscan status from x.x.x.x: 3 connections across 1 hosts: TCP(3), UDP(0) [**] 06/22-14:22:03.874738 [**] spp_portscan: portscan status from x.x.x.x: 5 connections across 1 hosts: TCP(5), UDP(0) [**] 06/22-14:22:07.083497 [**] spp_portscan: portscan status from x.x.x.x4: 9 connections across 1 hosts: TCP(9), UDP(0) [**] 06/22-14:22:11.200503 [**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1 hosts: TCP(9), UDP(0) [**] 06/22-14:22:15.096514 [**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1 hosts: TCP(9), UDP(0) [**] 06/22-14:22:30.009806 [**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 06/22-14:22:35.086806 [**] spp_portscan: End of portscan from x.x.x.x: TOTAL time(51s) hosts(1) TCP(49) UDP(0) [**] 06/22-14:22:42.980293 I realize why FTP could possibly trigger this, but is there a logic in snort that would allow me to turn this off (other than removing the port scan rule, of course). TIA! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------ --------------------------------------------------- CRESTCo Ltd. The views expressed above are not necessarily those 33 Cannon Street. held by CRESTCo Limited. London EC4M 5SB (UK) +44 (020) 7849 0000 http://www.crestco.co.uk ------------------------------------------------------------------------ --------------------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FTP seen as portscan? Stephen C Burns (Jun 27)
- <Possible follow-ups>
- Re: FTP seen as portscan? Paul Murphy (Jun 27)
- RE: FTP seen as portscan? Stephen C Burns (Jun 27)