[Oisf-users] How suricata detects portscans??

carlopmart carlopmart at gmail.com
Tue Apr 12 14:35:54 EDT 2011


On 04/12/2011 10:57 AM, carlopmart wrote:
>
> Hi all,
>
> How suricata detects portscans?? For example, I have had a simple test
> doing:
>
> [carlos at laptop sguil]$ nmap srvdns
>
> Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-12 10:53 CEST
> Nmap scan report for srvdns (172.25.50.10)
> Host is up (0.0011s latency).
> Not shown: 998 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
>
> Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
>
> Alerts detected by suricata:
>
> 04/12-10:53:13.589141 [**] [1:2010937:2] ET POLICY Suspicious inbound to
> mySQL port 3306 [**] [Classification: Potentially Bad Traffic]
> [Priority: 2] {TCP} 172.25.50.30:57780 -> 172.25.50.10:3306
> 04/12-10:53:13.590083 [**] [1:1418:11] GPL SNMP request tcp [**]
> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
> 172.25.50.30:37988 -> 172.25.50.10:161
> 04/12-10:53:13.590408 [**] [1:2010935:2] ET POLICY Suspicious inbound to
> MSSQL port 1433 [**] [Classification: Potentially Bad Traffic]
> [Priority: 2] {TCP} 172.25.50.30:60815 -> 172.25.50.10:1433
>
> But, why not an alert is fired like a "portscan detected" or something
> similar??
>

Nothing??


-- 
CL Martinez
carlopmart {at} gmail {d0t} com


More information about the Oisf-users mailing list