actually the ip address of my machine have been sanitized, perhaps to avoid confusion next time
i'll just xxx.xxx.xxx.xxx instead

you asked about the placement of my IDS, well its stitting on our firewall, the the box doubles
as firewall and IDS.

you also mentioned firewall rulesets also. I didnt really think it mattered but yes I have rulesets
in place blocking incoming ssh traffic from everyone except the authorized hosts.

here is the complete alert complete with firewall acl violation

-- snip snip


Jul 14 21:09:14 securelinux kernel: Packet log: input DENY eth0 PROTO=6 211.172.121.210:22 xxx.xxx.xxx.xxx:22 L=40 S=0x00 I=39426 F=0x0000 T=20 SYN (#23)
Jul 14 21:09:14 securelinux snort[177]: [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection {TCP} 211.172.121.210:22 -> xxx.xxx.xxx.xxx:22
Jul 14 21:09:14 securelinux snort[177]: spp_portscan: PORTSCAN DETECTED to port 22 from 211.172.121.210 (STEALTH)
Jul 14 21:09:14 securelinux snort[5645]: [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection {TCP} 211.172.121.210:22 -> xxx.xxx.xxx.xxx:22
Jul 14 21:09:14 securelinux snort[5645]: spp_portscan: PORTSCAN DETECTED to port 22 from 211.172.121.210 (STEALTH)

thanks for your reply about TTL values, i'll head back to the classroom and read up
a little on TTL.

appreciate :>