[Oisf-users] How suricata detects portscans??
carlopmart
carlopmart at gmail.com
Tue Apr 12 04:57:38 EDT 2011
Hi all,
How suricata detects portscans?? For example, I have had a simple test
doing:
[carlos at laptop sguil]$ nmap srvdns
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-12 10:53 CEST
Nmap scan report for srvdns (172.25.50.10)
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
Alerts detected by suricata:
04/12-10:53:13.589141 [**] [1:2010937:2] ET POLICY Suspicious inbound
to mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 172.25.50.30:57780 -> 172.25.50.10:3306
04/12-10:53:13.590083 [**] [1:1418:11] GPL SNMP request tcp [**]
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
172.25.50.30:37988 -> 172.25.50.10:161
04/12-10:53:13.590408 [**] [1:2010935:2] ET POLICY Suspicious inbound
to MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
[Priority: 2] {TCP} 172.25.50.30:60815 -> 172.25.50.10:1433
But, why not an alert is fired like a "portscan detected" or something
similar??
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the Oisf-users
mailing list