Snort mailing list archives
Re: Portscan from own interface
From: Subba Rao <subba9 () home com>
Date: Wed, 16 May 2001 05:37:33 +0000
On 0, Midnight shadow <p.selder () freeler nl> wrote:
I noticed someting stange in the snort-log file. I got a portscan from the external interface from my firewall. Normally the offending hosts is logged, but now my external ip is listed. What can be the cause? Spoofing of some kind? The next line are only a few from the messages log. May 10 09:01:01 proxy snort[17307]: spp_portscan: portscan status from x.x.x.x: 2 connections across 2 hosts: TCP(1), UDP(1) May 10 09:01:05 proxy snort[17307]: spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(0), UDP(1) May 10 09:01:15 proxy last message repeated 2 times x.x.x.x is the ip of the external interface. I'm running snort 1.8 beta on redhat 7.0 i386
I am seeing similar messages in my snort logs. I hope it is only spoofing and not that my machine has been compromised. [**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**] 05/16-05:19:37.397711 How can I set up anti-spoofing controls on my machine? TIA. -- Subba Rao subba9 () home com http://members.home.net/subba9/ GPG public key ID 27FC9217 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan from own interface Midnight shadow (May 10)
- RE: Portscan from own interface Fernando Cardoso (May 10)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- RE: Portscan from own interface John Berkers (May 16)