sendmail triggers "portsweep" in snort?
- To: <email@example.com>
- Subject: sendmail triggers "portsweep" in snort?
- From: Erik Dörnbach <firstname.lastname@example.org>
- Date: Thu, 22 Sep 2005 16:30:19 +0200
- Message-id: <883F9500AE0CAC4C9FBB72C9E09D89C5ECC522@lgexchange.elge.intern>
(crossposting, but I figured this one might not be right for debian-users)
just installed snort out of curiosity on my network with the plain debian default rules. In the reports generated I found one of my sendmail servers doing portsweeps to remote adresses.
Upon further investigation I found out that the destination of each occured portsweep is also logged by the same sendmail as
...rejecting commands from [a.b.c.d] [a.b.c.d] due to pre-greeting traffic
Now I wonder what this should tell me, these are propably some people's spambots which unpolitly don't wait for the server to greet them, sure... but why and what does snort detect as a portsweep (what's a portsweep anyway, some kind of portscan method?).
I'm pretty confident the server is safe and not compromised, anyone with a clue?