Snort Portscan Question
Results 1 to 5 of 5

Thread: Snort Portscan Question

  1. #1
    Junior Member
    Join Date
    Jul 2003

    Snort IDS Question

    When I review my snort logs I see lots of entried like this:

    [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from XX.XX.XXX.XXX (THRESHOLD 4 connections exceeded in 2 seconds) [**]

    [**] [100:2:1] spp_portscan: portscan status from XX.XX.XXX.XXX: 2 connections across 2 hosts: TCP(2), UDP(0) [**]

    Now the problem is these scans are originating from my own IP & they seem to coincide with broswer requests, I can see them being logged as I'm surfing.

    So my question is:

    Is my system compromised?

    If not is there a rule to stop this from being logged without leaving myself open to scans?
    (I've looked high & low via google &

    My system: Mac G4, OS X 10.2.6, Snort 2.0, software firewall (IPFW) all on a glorious 56k dialup.

    Any help would be appreciated.
    When in danger or in doubt run in circles scream and shout.

  2. #2
    Junior Member
    Join Date
    Jul 2003
    spp == Snort Preprocessor Plugin
    portscan == Snort Portscan Plugin

    This alert was not generated by a rule, therefore no packets were captured
    to log. The alert was generated by a seperate program that comes with

    In snort.conf look for a line like:
    preprocessor portscan: $HOME_NET 10 3 portscan.log

    Which says alert on any external system hitting systems in $HOME_NET at a
    rate greater than or equal to 10 systems in 3 seconds (these two numbers may
    be different in your config).

    Here is the thread:
    Let me know if this is close.

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    On that same snort.conf line you'll find the filename of a portscan.log. Take alook at it. It shows which host(s) are connecting to which port(s). See if you can post it here and somebody should be able to tell you what's going on. It maybe just regular Internet traffic.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Jan 2002
    You've configured snort incorrectly.

    Your own IPs are supposed to be in $HOME_NET or something similar (I can't quite remember). This will prevent them from being flagged as the source of attacks.

    I hope none of your users is using any P2P software, or snort becomes instantly almost useless (P2P is *WAY* too promiscuous).

    P2P is the enemy of IDS.

  5. #5
    Junior Member
    Join Date
    Jul 2003
    Allright I changed the threshold in my conf file. That seems to have stopped it without affecting detection of real portscans, or at least the one I've run from as well as my own Nmap scans. Hopefully there will be no reoccurence <grits teeth>
    When in danger or in doubt run in circles scream and shout.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts