Snort mailing list archives
Re: snort detects portscan?
From: "alexus" <ml () db nexgen com>
Date: Wed, 20 Jun 2001 10:18:40 -0400
oh okay.. heh sorry:) what i found out is that by accident when i was removing one domain from my dns .. i only removed on master ns and didnt remove on slave.. and slave was trying to connect to master to get this zone.. and somehow bind consider it as a portscan (weird).. but after i removed this zone from slave those messages no longer appears.. ----- Original Message ----- From: "Phil Wood" <cpw () lanl gov> To: "alexus" <ml () db nexgen com> Sent: Wednesday, June 20, 2001 9:37 AM Subject: Re: [Snort-users] snort detects portscan?
On Wed, Jun 20, 2001 at 01:37:29AM -0400, alexus wrote:i figured it out:) never mind thanksIt might help others if you share with the list what you figured out.----- Original Message ----- From: "Joe McAlerney" <joey () SiliconDefense com> To: "alexus" <ml () db nexgen com> Cc: <Snort-users () lists sourceforge net> Sent: Tuesday, June 19, 2001 7:36 PM Subject: Re: [Snort-users] snort detects portscan?The portscan preprocessor is detecting "stealth" packets. They will
be
alerted on regardless of whether or not you have the source host
defined
in portscan-ignorehosts. There are some good examples of why this occurs in the archives of this mailing list. Most recently, it is caused by ENC packets with Linux 2.4 kernels. -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ alexus wrote:un 19 19:05:26 box snort: spp_portscan: portscan status from216.27.143.184:2 connections across 1 hosts: TCP(1), UDP(1) STEALTH Jun 19 19:05:26 box /kernel: Jun 19 19:05:26 box snort:
spp_portscan:
portscan status from 216.27.143.184: 2 connections across 1 hosts:TCP(1),UDP(1) STEALTH Jun 19 19:05:30 box snort: spp_portscan: End of portscan from 216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1) STEALTH Jun 19 19:05:30 box /kernel: Jun 19 19:05:30 box snort:
spp_portscan:
End ofportscan from 216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1)STEALTHi'm geting this in my syslog like every other 10 minutes.. i know
that
ip isnot portscaning me 'cause i wouldn't portscan myself:) any ideas what could cause that? as far as i can tell i do have a bit of communication between my box
and
that pc .. that's dns .. but then again why is it doing every 10minutes?and in snort.conf i put into var DNS_SERVERS i put this ip.. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort detects portscan? alexus (Jun 19)
- Re: snort detects portscan? Joe McAlerney (Jun 19)
- Re: snort detects portscan? alexus (Jun 19)
- Message not available
- Re: snort detects portscan? alexus (Jun 20)
- Re: snort detects portscan? alexus (Jun 19)
- Re: snort detects portscan? Joe McAlerney (Jun 19)