RE: FTP seen as portscan?

["Stephen C Burns" <sburns () farpointer net>]

Great question.  I know that this is an FTP connect because the source
IP is the internet interface of my NAT router (server is colocated
elsewhere) and my ftpd's logs reflect connection states that match up
with these timestamps.  However, I don't know what type of client this
someone is using.  I know that this person was only logged in once.

-----Original Message-----
From: Paul Murphy [mailto:paul.murphy () crestco co uk] 
Sent: Wednesday, June 27, 2001 10:24 AM
To: sburns () farpointer net; snort-users () lists sourceforge net
Subject: Re: [Snort-users] FTP seen as portscan?



Hmm... what is this...  Getright or some other ftp multiconnector?

> > > "Stephen C Burns" <sburns () farpointer net> 6/27/2001 04:03:00 pm >>>

Hi all, 

I note several entries like the following in my /var/log/snort/alert
file.  These connections are verified as FTP traffic.

[**] spp_portscan: PORTSCAN DETECTED from x.x.x.x (THRESHOLD 4
connections exceeded in 5 seconds) [**] 06/22-14:21:44.903196 
[**] spp_portscan: portscan status from x.x.x.x: 13 connections across 1
hosts: TCP(13), UDP(0) [**]
06/22-14:21:48.357479 
[**] spp_portscan: portscan status from x.x.x.x: 3 connections across 1
hosts: TCP(3), UDP(0) [**]
06/22-14:22:03.874738 
[**] spp_portscan: portscan status from x.x.x.x: 5 connections across 1
hosts: TCP(5), UDP(0) [**]
06/22-14:22:07.083497 
[**] spp_portscan: portscan status from x.x.x.x4: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:11.200503 
[**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:15.096514 
[**] spp_portscan: portscan status from x.x.x.x: 9 connections across 1
hosts: TCP(9), UDP(0) [**]
06/22-14:22:30.009806 
[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1
hosts: TCP(1), UDP(0) [**]
06/22-14:22:35.086806
[**] spp_portscan: End of portscan from x.x.x.x: TOTAL time(51s)
hosts(1) TCP(49) UDP(0) [**]
06/22-14:22:42.980293 

I realize why FTP could possibly trigger this, but is there a logic in
snort that would allow me to turn this off (other than removing the port
scan rule, of course).  TIA!


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------
---------------------------------------------------
CRESTCo Ltd.             The views expressed above are not necessarily
those
33 Cannon Street.        held by CRESTCo Limited.
London  EC4M 5SB (UK)      
+44 (020) 7849 0000     http://www.crestco.co.uk 
------------------------------------------------------------------------
---------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users