Snort mailing list archives
portscan ?
From: "Ashley Thomas" <athomas () cc gatech edu>
Date: Sun, 9 Jun 2002 01:21:31 -0400
Hi, While analysing what caused a portscan i see lot of portscans in my network is like this: Jun 8 22:20:29 A.B.C.97:4998 -> M.N.127.90:80 SYN ******S* Jun 8 22:20:26 A.B.C.97:4987 -> X.Y.37.101:80 SYN ******S* Jun 8 22:20:31 A.B.C.97:1033 -> U.M.237.140:80 SYN ******S* Jun 8 22:20:27 A.B.C.97:4993 -> A.W.209.13:80 SYN ******S* Jun 8 22:20:28 A.B.C.97:4995 -> P.Q.64.132:80 SYN ******S* Jun 8 22:20:31 A.B.C.97:1026 -> Q.R.212.39:80 SYN ******S* Jun 8 22:20:31 A.B.C.97:1031 -> L.M.237.128:80 SYN ******S* where A.B.C.0 is my network. I think when A.B.C.97 issues different requests to different web servers, snort somehow sees this as a portscan. Can i specify something in the configuration so that snort will not see this as a portscan. Any pointers/ideas ? i am running snort as ./snort -i eth1 -h A.B.C.0/16 -c snort.conf -l./LOGS/ -d thanks ashley thomas _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan ? Ashley Thomas (Jun 08)
- <Possible follow-ups>
- RE: portscan ? Estes, Matt PEO EIS CPR / FCBS (Jun 10)