Re: UUnet dns server portscans filling up log.. causing email of real alerts to crash

[Ramin Alidousti <ramin () cannon eng us uu net>]

The question is why you're receiving these portscans from 198.6.1.5.
A DNS server is not supposed to send portscans. My hunch is that
someone is spoofing that IP and launching a portscan to your machine.
If that's the case, you should be happy that snort is detecting them :-)

Ramin

On Wed, Jul 11, 2001 at 09:52:26AM -0400, Madhav Diwan wrote:

> Hey guys.. how do i stop this message from getting into secure log?
>
> > Jul 11 09:25:24 FG-IDS1 snort[595]: spp_portscan: portscan status from
> 198.6.1.5: 1 connections across 1 hosts: TCP(0), UDP(1)
>
> the address is that of a uunet dns server , .. this address is in the
> snort.conf file for the portscan ignore .. but it doesn't seem to help:
>
> var DNS_SERVERS [198.6.1.5/32,198.6.1.1/32]
>
> preprocessor portscan-ignorehosts: $DNS_SERVERS
>
> snort has been restarted but still logs these scans.
>
> does the netmask have to be present for this to work ? I am not certain
> that this is the netmask of the uunet servers .. how do i find out what
> that is?
>
> this is filling up my secure log and causing my email of alerts to crash
>
> thanks 
>
> madhav

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users