RE: UUnet dns server portscans filling up log.. causing email of real alerts to crash

["Madhav Diwan" <mdiwan () wagweb com>]

No i dont think so : this happens at two diferent sites.

and this "scan" occurrs once every 4 seconds and has been present for
the four days * 24 hours that the server has been in place.

either the would be hacker is really stupid.. or this is legitimate
scanning from uunet


any way.. how do i stop the alert from happening:

 Jul 11 09:25:24 FG-IDS1 snort[595]: spp_portscan: portscan status from
> 198.6.1.5: 1 connections across 1 hosts: TCP(0), UDP(1)

PS this is a RedHat 7.1 system running snort 1.7.1 from snort.org

-----Original Message-----
From: Ramin Alidousti [mailto:ramin () cannon eng us uu net]
Sent: Wednesday, July 11, 2001 10:29 AM
To: Madhav Diwan
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] UUnet dns server portscans filling up log..
causing email of real alerts to crash


The question is why you're receiving these portscans from 198.6.1.5.
A DNS server is not supposed to send portscans. My hunch is that
someone is spoofing that IP and launching a portscan to your machine.
If that's the case, you should be happy that snort is detecting them :-)

Ramin

On Wed, Jul 11, 2001 at 09:52:26AM -0400, Madhav Diwan wrote:

> Hey guys.. how do i stop this message from getting into secure log?
>
> > Jul 11 09:25:24 FG-IDS1 snort[595]: spp_portscan: portscan status
from
> 198.6.1.5: 1 connections across 1 hosts: TCP(0), UDP(1)
>
> the address is that of a uunet dns server , .. this address is in the
> snort.conf file for the portscan ignore .. but it doesn't seem to
help:
> var DNS_SERVERS [198.6.1.5/32,198.6.1.1/32]
>
> preprocessor portscan-ignorehosts: $DNS_SERVERS
>
> snort has been restarted but still logs these scans.
>
> does the netmask have to be present for this to work ? I am not
certain
> that this is the netmask of the uunet servers .. how do i find out
what
> that is?
>
> this is filling up my secure log and causing my email of alerts to
crash
> thanks 
>
> madhav


Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If 
the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users