RE: [Snort-users] postscan
This is a discussion on RE: [Snort-users] postscan within the Snort forums, part of the System Security and Security Related category; I can't easily find the specific detection techniques used to generate these alerts, but this is sfportscan thinking it'...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-15-2005
|
|||
|
|||
RE: [Snort-users] postscan
I can't easily find the specific detection techniques used to generate these
alerts, but this is sfportscan thinking it's detected a UDP port scan where multiple IPs are involved in a single scan of your network (distributed) or where the source IPs have been spoofed (decoy). Being that they're UDP "scans," I would think it may be a false positive triggered by SQL worm traffic, DNS traffic, or something else along those lines. Tough to say without seeing the specific src/dst info for those alerts, though. PaulM ________________________________ Subject: [Snort-users] postscan I am seeing several of the below and am wondering what this is: * UDP Distributed Portscan * UDP Decoy Portscan ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
