[plug] portscans
Nathan D
natdan at pobox.com
Tue Sep 25 19:43:25 WST 2001
Looks to me like old SmoothWall logs? ie when 0.9.9 was first released and
before snort was fine tuned. I used to see similar entries but most
vanished with either patch 2 or 3 from memory?
The rules in the 0.9.9 final seem to generate much less 'waffle' than
previous versions.
But the firewall logs are another story with Mr Nimda knocking on the door
all the time.
At 06:13 PM 25/09/01 +0800, garry wrote:
>Could the list have had a look at the intrusion detection log extract (below)
>and tell me if this is something to worry about please?
>
>This was in a 65 min period, there was 61 events logged all up!
>
>Have the lot saved in a text file of 10kb, but I've not posted it, for
>brevity...
>
>Regards,
>
>Garry.
>
>SmoothWall IDS snort log
>Date: 25 September
>Date: 09/25 16:30:20
>Name: spp_portscan: PORTSCAN DETECTED from 203.2.75.2 (THRESHOLD 4
>connections exceeded in 8 seconds)
>Priority: n/a
>Type: n/a
>IP Info: n/a:n/a -> n/a:n/a
>Refs:
>Date: 09/25 16:30:31
>Name: ICMP Destination Unreachable (Communication Administratively Prohibited)
>Priority: n/a
>Type: n/a
>IP Info: 198.142.91.160:61023 -> 64.4.60.204:80
>Refs:
>Date: 09/25 16:30:50
>Name: spp_portscan: portscan status from 203.2.75.2: 5 connections across 1
>hosts: TCP(0), UDP(5)
>Priority: n/a
>Type: n/a
>IP Info: n/a:n/a -> n/a:n/a
>Refs:
regards,
Nathan
~~~~~~~~~~~~~~~~~~~~~~~~ ,-_|\
. natdan at pobox.com . / \
. Western Australia . -> \_,-._/
~~~~~~~~~~~~~~~~~~~~~~~~ v
Can't make out my sig file? Try using a "fixed-width font"
More information about the plug
mailing list