snort log entry question
From: Chris (cpollock_at_earthlink.net)
Date: 10/31/04
- Next message: Steve Foris: "Re: NETWORK Administration"
- Previous message: Gandalf Parker: "Re: Trojans and Trojan-scanner"
- Next in thread: Michael Heiming: "Re: snort log entry question"
- Reply: Michael Heiming: "Re: snort log entry question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 30 Oct 2004 22:17:38 GMT
I've been using snort for a couple of months now and although there have
been very few log entries those that are there I seem to have a hard time
understanding what they mean. I asked the below question in the
snort-users list awhile back but never received a reply, maybe it was just
too dumb of a question. Anyway, if anyone can explain what the two entries
mean or point me to a link(s) that do I'd appreciate it.
Oct 26 09:00:20 cpollock snort[3860]: [1:402:4] ICMP Destination Unreachable
(Port Unreachable) [Classification: Misc activity] [Priority: 3]: {ICMP}
217.160.253.84 -> 192.168.1.2
On this one, why would Earthlink, my ISP, be doing a portscan on my system?
Could this just be a 'ping' from them?
Oct 25 23:42:17 cpollock snort[3860]: spp_portscan: PORTSCAN DETECTED to
port 41980 from 207.217.121.213 (STEALTH)
Thanks to all in advance for any help
-- Chris
- Next message: Steve Foris: "Re: NETWORK Administration"
- Previous message: Gandalf Parker: "Re: Trojans and Trojan-scanner"
- Next in thread: Michael Heiming: "Re: snort log entry question"
- Reply: Michael Heiming: "Re: snort log entry question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
