Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort detects portscan?

From: "alexus" <ml () db nexgen com>
Date: Wed, 20 Jun 2001 10:18:40 -0400
oh okay.. heh sorry:)

what i found out is that by accident when i was removing one domain from my
dns .. i only removed on master ns and didnt remove on slave.. and slave was
trying to connect to master to get this zone.. and somehow bind consider it
as a portscan (weird).. but after i removed this zone from slave those
messages no longer appears..

----- Original Message -----
From: "Phil Wood" <cpw () lanl gov>
To: "alexus" <ml () db nexgen com>
Sent: Wednesday, June 20, 2001 9:37 AM
Subject: Re: [Snort-users] snort detects portscan?



On Wed, Jun 20, 2001 at 01:37:29AM -0400, alexus wrote:

i figured it out:) never mind thanks


It might help others if you share with the list what you figured out.



----- Original Message -----
From: "Joe McAlerney" <joey () SiliconDefense com>
To: "alexus" <ml () db nexgen com>
Cc: <Snort-users () lists sourceforge net>
Sent: Tuesday, June 19, 2001 7:36 PM
Subject: Re: [Snort-users] snort detects portscan?



The portscan preprocessor is detecting "stealth" packets.  They will

be

alerted on regardless of whether or not you have the source host

defined

in portscan-ignorehosts.  There are some good examples of why this
occurs in the archives of this mailing list.  Most recently, it is
caused by ENC packets with Linux 2.4 kernels.

-Joe M.

--
|   Joe McAlerney     joey () silicondefense com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

alexus wrote:


un 19 19:05:26 box snort: spp_portscan: portscan status from

216.27.143.184:

2 connections across 1 hosts: TCP(1), UDP(1) STEALTH
Jun 19 19:05:26 box /kernel: Jun 19 19:05:26 box snort:

spp_portscan:

portscan status from 216.27.143.184: 2 connections across 1 hosts:

TCP(1),

UDP(1) STEALTH
Jun 19 19:05:30 box snort: spp_portscan: End of portscan from
216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1) STEALTH
Jun 19 19:05:30 box /kernel: Jun 19 19:05:30 box snort:

spp_portscan:

End of

portscan from 216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1)

STEALTH


i'm geting this in my syslog like every other 10 minutes.. i know

that

ip is

not portscaning me 'cause i wouldn't portscan myself:)

any ideas what could cause that?

as far as i can tell i do have a bit of communication between my box

and

that pc .. that's dns .. but then again why is it doing every 10

minutes?

and in snort.conf i put into var DNS_SERVERS i put this ip..

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Phil Wood, cpw () lanl gov





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: