Snort mailing list archives

guardian + snort

From: Dariusz Brzeziński <dariusz.brzezinski () implozja kalisz pl>
Date: Sat, 8 Sep 2001 13:21:06 +0200

Hello to all - I'm new here :-)

I don't know if someone of you is using snort+guardian, but I'd like
to have one question:
Why does guardian sees

[**] [1:1002:1]  <ppp0> WEB-IIS cmd.exe access [**]

in snort's alert file and correctly blocks it and DOES NOT see:

[**] [100:1:1]  <ppp0> spp_portscan: PORTSCAN DETECTED on ppp0 from 212.106.168.62 (THRESHOLD 4 connections exceeded in 
0 seco
09/08-03:49:41.593784

[**] [100:2:1]  <ppp0> spp_portscan: portscan status from 212.106.168.62: 44 connections across 1 hosts: TCP(44), 
UDP(0) [**]
09/08-03:49:45.055077

In the end it blocks less important things and does not portscanning.

TIA for help

  

-- 
Best regards,
 Dariusz                          mailto:dariusz.brzezinski () implozja kalisz pl


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

guardian + snort Dariusz Brzeziński (Sep 08)
- Guardian Overhaul Nick Rogness (Sep 28)
  - Re: Guardian Overhaul Nick Rogness (Sep 28)
- <Possible follow-ups>
- RE: guardian + snort Jyri Hovila (Sep 08)
  - RE: guardian + snort Matt Bridges (Sep 08)