Snort mailing list archives
Confused about rules and logs
From: b311b-snort () theotherbell com
Date: Sun, 09 May 2004 19:28:00 -0400
I'm running snort version 1.7 on a NetBSD Firewall. I start it with -D -c /usr/local/share/snort/rules.conf -s. I got my rules file from http://whitehats.com/ids/ and my local network is 192.168.2.0/24. Everything seems to work ok, but I have one Doze box that is constantly generating 1000's of entries per day to /var/log/snort/log that look like this: [**] spp_portscan: portscan status from 192.168.2.252: 3 connections across 3 hosts: TCP(0), UDP(3) [**] There's a series of new log messages generated once every 7 or 8 seconds. I have other Doze boxes on the network that do not generate these messages. The PC that's generating the messages has been scanned for viruses and spyware... and I've shut down all non-critical processes and they just keep coming. There are no alerts. How do I go about figuring out what's generating these messages? And if they're harmless, how do I fix things so they're not logged? Thanks. Brenda Bell Henniker (the only one on earth) New Hampshire (the state with 5 seasons: black fly, tourist, foliage, ski and mud) ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Confused about rules and logs b311b-snort (May 09)
- <Possible follow-ups>
- Re: Confused about rules and logs Richard Bejtlich (May 10)
- Re: Re: Confused about rules and logs b311b-snort (May 10)
- Re: Confused about rules and logs Richard Bejtlich (May 10)