Snort mailing list archives
False positives with UDP Portscan PROTO255
From: "Mike Lieberman" <Mike () netwright net>
Date: Sat, 5 Mar 2005 16:18:15 -0700
I have doubts about some of the messages I am getting from Snort (using rules for 2.3). For instance the following portscan message is from ns1.sprintlink.net to ns1.netwright.net. We see DNS server to DNS Server traffic labeled as port scans. In the case below, unless Sprint's primary name server ( as well as many others from [have]) has been compromised, these 'portscans' would actually have to be something related to BIND. [**] [122:17:0] (portscan) UDP Portscan [**] 03/04-20:49:34.062746 204.117.214.10 -> 216.169.0.228 PROTO255 TTL:0 TOS:0x0 ID:44289 IpLen:20 DgmLen:162 ns1.sprintlink.net [204.117.214.10]
Current thread:
- False positives with UDP Portscan PROTO255 Mike Lieberman (Mar 05)
- Re: False positives with UDP Portscan PROTO255 Jeff Kell (Mar 05)
- RE: False positives with UDP Portscan PROTO255 Mike Lieberman (Mar 05)
- RE: False positives with UDP Portscan PROTO255 Orit Vidas (Mar 08)
- Re: False positives with UDP Portscan PROTO255 Jeremy Hewlett (Mar 09)
- Re: False positives with UDP Portscan PROTO255 Rich Adamson (Mar 05)
- RE: False positives with UDP Portscan PROTO255 Mike Lieberman (Mar 05)
- Re: False positives with UDP Portscan PROTO255 Jeff Kell (Mar 05)