Snort mailing list archives
Re: is there anyway of stoping this?
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 31 May 2001 12:43:17 -0600 (MDT)
On Thu, 31 May 2001, Ben Johansen wrote:
I have looked at whitehats.com and found not direct reference to this portscan
the spp_ indictates that it's the Snort Pre-Processor that's spotting these, not a whitehats rule, I think.
--start log view--- 05/31-01:53:39.840000 [**] spp_portscan: PORTSCAN DETECTED from 156.46.219.190 (STEALTH) [**] 05/31-01:54:32.255000 [**] spp_portscan: portscan status from 156.46.219.190: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH [**] 05/31-01:55:35.155000 [**] spp_portscan: End of portscan from 156.46.219.190: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH [**] --end log view--- Can it be stopped?
I think this FAQ items starts to address your question, though it's not a complete answer: http://www.snort.org/FAQ.html#q18
Is there a hole I have missed?
This log item is simply telling you that you're getting a port scan. It doesn't indicate whether a particular attempt is being made. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- is there anyway of stoping this? Ben Johansen (May 31)
- Re: is there anyway of stoping this? Ryan Russell (May 31)
- <Possible follow-ups>
- Re: is there anyway of stoping this? roman (May 31)
- Re: is there anyway of stoping this? Neil Dickey (May 31)