Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Portscan from own interface

From: Subba Rao <subba9 () home com>
Date: Wed, 16 May 2001 05:37:33 +0000
On  0, Midnight shadow <p.selder () freeler nl> wrote:


I noticed someting stange in the snort-log file. I got a portscan from the 
external interface from my firewall. Normally the offending hosts is logged, 
but now my external ip is listed.

What can be the cause? Spoofing of some kind?
The next line are only a few from the messages log.

May 10 09:01:01 proxy snort[17307]: spp_portscan: portscan status from 
x.x.x.x: 2 connections across 2 hosts: TCP(1), UDP(1)
May 10 09:01:05 proxy snort[17307]: spp_portscan: portscan status from 
x.x.x.x: 1 connections across 1 hosts: TCP(0), UDP(1)
May 10 09:01:15 proxy last message repeated 2 times

x.x.x.x is the ip of the external interface.
I'm running snort 1.8 beta on redhat 7.0 i386



I am seeing similar messages in my snort logs. I hope it is only spoofing and
not that my machine has been compromised.

[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
05/16-05:19:37.397711 

How can I set up anti-spoofing controls on my machine?

TIA.

-- 

Subba Rao
subba9 () home com
http://members.home.net/subba9/

GPG public key ID 27FC9217

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: