snort and portscan

Message

ponzio · Post by **ponzio** » Wed Jul 13, 2005 10:33 am

hi, my snort detected a portscan from my box to another ip, but i did not do that

  #20-(1-311)     	    [snort] (portscan) TCP Portsweep    	    2005-07-13 11:48:05    	    xxx.xxx.xxx.xxx     	    151.37.68.10     	    Raw IP

and other times with different destinations.
the payload:

Code: Select all

 
000 : 50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20   Priority Count: 
010 : 35 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75   5.Connection Cou
020 : 6E 74 3A 20 36 0A 49 50 20 43 6F 75 6E 74 3A 20   nt: 6.IP Count: 
030 : 32 31 0A 53 63 61 6E 6E 65 64 20 49 50 20 52 61   21.Scanned IP Ra
040 : 6E 67 65 3A 20 31 35 31 2E 33 37 2E 36 38 2E 31   nge: 151.37.68.1
050 : 30 3A 38 32 2E 35 35 2E 39 38 2E 32 30 31 0A 50   0:82.55.98.201.P
060 : 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 75 6E 74 3A   ort/Proto Count:
070 : 20 36 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 52 61    6.Port/Proto Ra
080 : 6E 67 65 3A 20 31 37 31 32 3A 36 34 36 32 0A      nge: 1712:6462.

I really did not do that, so what's going on?

Noyan · Post by **Noyan** » Wed Jul 13, 2005 4:13 pm

not a portscan

1712:6462 >> port range

someting like p2p..but not a portscan.