"Admin" <admin@eregion.de> wrote:
On 16 Feb 2000 10:26:19 +0100, Eilert Brinkmann wrote:
"Admin" <admin@eregion.de> wrote:
Feb 13 19:17:30 aragorn scanlogd: From 209.144.167.150:20 to 192.168.238.3 ports 3021, 3022, 3023, 3024, 3025, 3026, 3027, 3028, 3029,..., flags ??r??u, TOS 08, TTL 49, started at 19:17:15
In the situation you describe you can be sure this is *not* a portscan. Your FTP data connections trigger this warning.
so why didn't I get portscan log eintries just now, I had the same script which runs on sundays (when the log entries happen) run manually just a few minutes ago, and guess what, no portscan entries in the logfiles...
scanlogd writes this messagages when it detects a large number of connections within a short time. Maybe this time you did fewer transfers or there was more time between connections. Just a guess... Eilert -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Eilert Brinkmann -- Universitaet Bremen -- FB 3, Informatik eilert@informatik.uni-bremen.de - eilert@tzi.org - eilert@linuxfreak.com http://www.informatik.uni-bremen.de/~eilert/
This very same issue was discussed a few months ago on suse-security. Original message: http://lists.suse.com/archives/suse-security/1999-Sep/0129.html A good reply: http://lists.suse.com/archives/suse-security/1999-Sep/0132.html scott ----- Original Message ----- From: "Eilert Brinkmann" <eilert@Informatik.Uni-Bremen.DE> To: <suse-security@suse.com> Sent: Wednesday, February 16, 2000 5:30 AM Subject: Re: [suse-security] FTP = PortScan???
"Admin" <admin@eregion.de> wrote:
On 16 Feb 2000 10:26:19 +0100, Eilert Brinkmann wrote:
"Admin" <admin@eregion.de> wrote:
Feb 13 19:17:30 aragorn scanlogd: From 209.144.167.150:20 to 192.168.238.3 ports 3021, 3022, 3023, 3024, 3025, 3026, 3027, 3028, 3029,..., flags ??r??u, TOS 08, TTL 49, started at 19:17:15
In the situation you describe you can be sure this is *not* a portscan. Your FTP data connections trigger this warning.
so why didn't I get portscan log eintries just now, I had the same script which runs on sundays (when the log entries happen) run manually just a few minutes ago, and guess what, no portscan entries in the logfiles...
scanlogd writes this messagages when it detects a large number of connections within a short time. Maybe this time you did fewer transfers or there was more time between connections. Just a guess...
Eilert -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Eilert Brinkmann -- Universitaet Bremen -- FB 3, Informatik eilert@informatik.uni-bremen.de - eilert@tzi.org - eilert@linuxfreak.com http://www.informatik.uni-bremen.de/~eilert/
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (2)
-
Eilert Brinkmann -
Scott Danahy