RE: non privileged portscans

["Wirth, Jeff" <WirthJe () DNB com>]

Addy,

> i'm new and hadn't found the answer to the following problem:
>
> Apr 15 15:36:53 source-ip-address:1836 -> 
> dest-ip-address:26112 SYN ******S*
> Apr 15 15:36:54 source-ip-address:1837 -> 
> dest-ip-address:26117 SYN ******S*
> Apr 15 15:36:54 source-ip-address:1838 -> 
> dest-ip-address:26126 SYN ******S*
> ....
>
> portscan-plugin logged these "portscans", but these are only 
> non-privileged ports (>1024). I got over 5000 scanned ports 
> from the same ip and all scanned non-privileged ports.
> I don't think, that a hacker tries to hijack a connection.
>
> - Is it a false alarm from the portscan-plugin of snort? 

Doubtful..

> - Can an application rise these portscan-alerts?

Yes, there are a few services/applications, DNS for example, that do tend to
play havoc with the portscan preprocessor.  But, I don't believe this is
happening in your case.

> - Is it possible to stop logging portscans where the scanned ports are
>   over i.e. port 5000

Nope. Check the portscan section of your snort.conf for preprocessor
options.  

> The options, my snort is running with:
> snort -A fast -b -c /etc/snort/snort.conf -d -D -e -g snort \
>       -G url -u snort -v

Keep in mind that there are a just a *few* trojans that live above port 1024
or 5000 for that matter.  IMHO, this is most likely what attacker was
probing for...

- Jeff

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users