False positives with UDP Portscan PROTO255

["Mike Lieberman" <Mike () netwright net>]

I have doubts about some of the messages I am getting from Snort (using
rules for 2.3). For instance the following portscan message is from
ns1.sprintlink.net to ns1.netwright.net. We see DNS server to DNS Server
traffic labeled as port scans. In the case below, unless Sprint's primary
name server ( as well as many others from [have]) has been compromised,
these 'portscans' would actually have to be something related to BIND.

 

[**] [122:17:0] (portscan) UDP Portscan [**]

03/04-20:49:34.062746 204.117.214.10 -> 216.169.0.228

PROTO255 TTL:0 TOS:0x0 ID:44289 IpLen:20 DgmLen:162

 

ns1.sprintlink.net [204.117.214.10]