Snort mailing list archives
RE: Port scans behind Firewall?
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 15 Jun 2005 11:36:20 -0400
James, These aren't inbound scans, they're normal outbound traffic being misinterpreted by the portscan2 preprocessor. You should upgrade to Snort 2.3 and move from the portscan2 preprocessor to the flow & flow-portscan preprocessors. This will fix your problem with false-positive alerts for portscans. PaulM -----Original Message----- Subject: [Snort-users] Port scans behind Firewall? 06/13-15:29:43.021986 [**] [117:1:1] (spp_portscan2) Portscan detected from 204.227.127.209: 1 targets 21 ports in 1 seconds [**] {TCP} 204.227.127.209:80 -> 192.168.0.6:11423 06/13-15:30:54.461331 [**] [117:1:1] ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Port scans behind Firewall? James Bruce (Jun 15)
- RE: Port scans behind Firewall? Paul Melson (Jun 15)