Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: is there anyway of stoping this?

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 31 May 2001 12:43:17 -0600 (MDT)
On Thu, 31 May 2001, Ben Johansen wrote:


I have looked at whitehats.com and found not direct reference to this
portscan


the spp_ indictates that it's the Snort Pre-Processor that's spotting
these, not a whitehats rule, I think.



--start log view---
05/31-01:53:39.840000  [**] spp_portscan: PORTSCAN DETECTED from
156.46.219.190 (STEALTH) [**]
05/31-01:54:32.255000  [**] spp_portscan: portscan status from
156.46.219.190: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH [**]
05/31-01:55:35.155000  [**] spp_portscan: End of portscan from
156.46.219.190: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH [**]
--end log view---

Can it be stopped?


I think this FAQ items starts to address your question, though it's not a
complete answer:
http://www.snort.org/FAQ.html#q18


Is there a hole I have missed?


This log item is simply telling you that you're getting a port scan.  It
doesn't indicate whether a particular attempt is being made.

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: