Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Portscans using spp_portscan

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 16 Oct 2001 22:21:45 -0700 (PDT)
On Wed, 17 Oct 2001, Shane Machon wrote:


Greetings,


We are from the planet Snort.  All bow to our Master--Snorticus.

[God--Too much late night SciFi Channel....]


I am seeing constant portscans from my local ip address when running the
stream4 detect portscans plugin.

spp_portscan: PORTSCAN DETECTED from (My Local IP)
spp_portscan: portscan status from (My Local IP): 1 connections across 1
hosts: TCP(1), UDP(0)
spp_portscan: portscan status from (My Local IP): 2 connections across 2
hosts: TCP(1), UDP(1)
spp_portscan: portscan status from (My Local IP): 1 connections across 1
hosts: TCP(1), UDP(0)
...........................


Actually that's not from stream4 it's from spp_portscan.


How is this possible? Nobody is running a portscanner of any type from
this machine, the system is not running dns or web traffic (only smtp).


Is SMTP the only traffic you see to this box?  If you do a 'snort -dv host <my
local ip>', what traffic does it show on the screen?

Can you view these packets?  Are you logging them?  If you are, dump them back
and view the decoded output.  You might see something in the decode that might
let you know what's going on.

Ping thought:  What is your snort.conf entry for the spp_portscan config?  The
one that's something like "preprocessor portscan: $HOME_NET 7 4 portscan.log".


Am i missing something simple? Should I be worried?


It might not even be something simple, but something does sound odd.  I'd say
no.  It sounds more like a misconfiguration to me.


Using Redhat 7.0 Snort 1.8.1 RPM Package (no DB Support)


Ug...  I'm sorry.  ;-)


Any help appreciated.


I guess 'move off of RH' wouldn't be feasible?  *grin*

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: