Snort mailing list archives
RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash
From: "Madhav Diwan" <mdiwan () wagweb com>
Date: Wed, 11 Jul 2001 11:00:56 -0400
No i dont think so : this happens at two diferent sites. and this "scan" occurrs once every 4 seconds and has been present for the four days * 24 hours that the server has been in place. either the would be hacker is really stupid.. or this is legitimate scanning from uunet any way.. how do i stop the alert from happening: Jul 11 09:25:24 FG-IDS1 snort[595]: spp_portscan: portscan status from
198.6.1.5: 1 connections across 1 hosts: TCP(0), UDP(1)
PS this is a RedHat 7.1 system running snort 1.7.1 from snort.org -----Original Message----- From: Ramin Alidousti [mailto:ramin () cannon eng us uu net] Sent: Wednesday, July 11, 2001 10:29 AM To: Madhav Diwan Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] UUnet dns server portscans filling up log.. causing email of real alerts to crash The question is why you're receiving these portscans from 198.6.1.5. A DNS server is not supposed to send portscans. My hunch is that someone is spoofing that IP and launching a portscan to your machine. If that's the case, you should be happy that snort is detecting them :-) Ramin On Wed, Jul 11, 2001 at 09:52:26AM -0400, Madhav Diwan wrote:
Hey guys.. how do i stop this message from getting into secure log?Jul 11 09:25:24 FG-IDS1 snort[595]: spp_portscan: portscan status
from
198.6.1.5: 1 connections across 1 hosts: TCP(0), UDP(1) the address is that of a uunet dns server , .. this address is in the snort.conf file for the portscan ignore .. but it doesn't seem to
help:
var DNS_SERVERS [198.6.1.5/32,198.6.1.1/32] preprocessor portscan-ignorehosts: $DNS_SERVERS snort has been restarted but still logs these scans. does the netmask have to be present for this to work ? I am not
certain
that this is the netmask of the uunet servers .. how do i find out
what
that is? this is filling up my secure log and causing my email of alerts to
crash
thanks madhav
Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Wagner Weber & Williams _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Jeff Ito (Jul 11)
- <Possible follow-ups>
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash Madhav Diwan (Jul 11)
- Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash Ramin Alidousti (Jul 11)