Figure 2 - Typical Snort alerts
[**]
[100:1:1] spp_portscan: PORTSCAN DETECTED from 10.1.1.100 (THRESHOLD 4
connections exceeded in 0 seconds) [**]
10/20-20:14:21.889975
[**]
[111:12:1] spp_stream4: NMAP FINGERPRINT (stateful) detection [**]
10/20-20:14:21.992317 10.1.1.100:48182 -> 10.1.1.16:21
TCP TTL:44 TOS:0x0 ID:10607 IpLen:20 DgmLen:60
***A**** Seq: 0x6095635C Ack: 0x0
Win: 0x400 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[**]
[1:628:1] SCAN nmap TCP [**]
[Classification: Attempted Information Leak] [Priority: 3]
10/20-20:14:21.992366 10.1.1.100:48184 -> 10.1.1.16:1
TCP TTL:44 TOS:0x0 ID:41635 IpLen:20 DgmLen:60
***A**** Seq: 0x6095635C Ack: 0x0
Win: 0x400 TcpLen: 40
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL
[Xref => http://www.whitehats.com/info/IDS28]
[**]
[111:10:1] spp_stream4: STEALTH ACTIVITY (nmap XMAS scan) detection [**]
10/20-20:14:21.992390 10.1.1.100:48185 -> 10.1.1.16:1
TCP TTL:44 TOS:0x0 ID:16540 IpLen:20 DgmLen:60
**U*P**F Seq: 0x6095635C Ack: 0x0
Win: 0x400 TcpLen: 40
UrgPtr: 0x0
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL