* Markus Kohli wrote on Mon, Sep 24, 2001 at 23:59 +0200:
[**] [100:2:1] spp_portscan: portscan status from 10.0.3.19: 1 connections across 1 hosts: TCP(0), UDP(1) [**] 09/24-23:54:03.679551
Well, I think a trigger of 1 connection is a little bit small for a portscan - I wonder why not all requests are reported as portscan. Check log to what hosts those packages go - if they go to internal host, you might have snort installed on the wrong interface :) snort.conf: preprocessor portscan: $HOME_NET 4 3 portscan.log 4 conns in 3 seconds, you could increase the values. But usually a router shouldn't make connections to $HOME_NET. Maybe snort is right but your configuration is wrong? tcpdump a little, check what your gateway tries to do. Check your $HOME_NET, maybe it's wrong configured (wrong netmask or whatver). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.