Re: Portscan Logs

[Joel Esler <jesler () sourcefire com>]

On Apr 26, 2011, at 11:07 AM, Joshua Polsky wrote:

> I know I posted a question about portscan logs earlier, but I had a different question in regards to the current log 
> that we are now using.  For the portscan log:
>  
> Time: 04/13-15:29:41.660134
> event_id: 6042
> x.x.x.x -> x.x.x.x(portscan) UDP Filtered Portscan
> Priority Count: 0
> Connection Count: 200
> IP Count: 66
> Scanner IP Range:x.x.x.x:x.x.x.x
> Port/Proto Count: 32
> Port/Proto Range: 137:17500
>  
> I am trying to determine the source port and destination port.    Also wanted to clarify for this line:  x.x.x.x -> 
> x.x.x.x(portscan) UDP Filtered Portscan
> That the first ip is the source and last is the destination.   We are needing those 4 pieces of information from this 
> log.     Also is there anyway to obtain the flags from this portscan.     Thanks again for any help you can give.

Well, there are no flags for the above portscan, as it's UDP based.   

Aside from that, all the answers you seek on how to interpret this log are in README.sfportscan in the doc/ directory 
of the tarball, and are explained much more thoroughly than I could.

J

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users