Snort mailing list archives
non privileged portscans
From: TheEagleSociety () netscape net (Eagle_2-7)
Date: Wed, 17 Apr 2002 05:12:44 -0400
hi out there, i'm new and hadn't found the answer to the following problem: Apr 15 15:36:53 source-ip-address:1836 -> dest-ip-address:26112 SYN ******S* Apr 15 15:36:54 source-ip-address:1837 -> dest-ip-address:26117 SYN ******S* Apr 15 15:36:54 source-ip-address:1838 -> dest-ip-address:26126 SYN ******S* .... portscan-plugin logged these "portscans", but these are only non-privileged ports (>1024). I got over 5000 scanned ports from the same ip and all scanned non-privileged ports. I don't think, that a hacker tries to hijack a connection. - Is it a false alarm from the portscan-plugin of snort? - Can an application rise these portscan-alerts? - Is it possible to stop logging portscans where the scanned ports are over i.e. port 5000 The options, my snort is running with: snort -A fast -b -c /etc/snort/snort.conf -d -D -e -g snort \ -G url -u snort -v Thanks Addy __________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- non privileged portscans Eagle_2-7 (Apr 17)
- <Possible follow-ups>
- RE: non privileged portscans Wirth, Jeff (Apr 17)