Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Portscan 2 question

From: Robby Desmond <rdesmond () els ucsb edu>
Date: Thu, 24 Oct 2002 11:03:46 -0700
At 11:22 AM 10/24/02 -0600, you wrote:

I have a weird problem with 2 entries in my ACID database. Apparently,
my server did a port scan on a remote machine. The problem is that no
one here initiated a port scan. The database lists my server IP as the
source and lists a dest IP. This is listed as a spp_portscan2. Does the
new snort scan other machines on the Internet? I don't want any issues
with other services because they think I'm port scanning their network.

Thanks

Joe


Are you, by chance, running DNS?
You should add your DNS servers to the list of portscan2-ignorehosts, otherwise you will get this sort of activity.
If you are not running DNS, then check the "lasts" command to see who has been on your system. (Or who has been appearing as someone on your system.) 

-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: