[Snort-devel] [ snort-Bugs-474643 ] Getting false portscan alerts from DNS

noreply at ...12... noreply at ...12...
Thu Oct 25 20:33:11 EDT 2001


Bugs item #474643, was opened at 2001-10-24 14:32
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=474643&group_id=3357

Category: None
Group: None
>Status: Closed
>Resolution: Rejected
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
>Assigned to: Martin Roesch (roesch)
Summary: Getting false portscan alerts from DNS

Initial Comment:
Not sure if this is a bog or a feature,   or just a 
mess-up on my part.

I'm getting a log ot "spp_portscan" alerts that seem 
to have no bearing on portscans,  and seem to be 
coming in from DNS queries.

Is this a normal thing?    Is there a way to identify 
which snort rule might be causing this?

This is the alert I'm getting:

[**] [100:2:1] spp_portscan: portscan status from 
209.142.36.244: 5 connections 
across 5 hosts: TCP(0), UDP(5) [**]
10/24-13:57:58.390971 

Could someone please explain this to me?

John

----------------------------------------------------------------------

>Comment By: Martin Roesch (roesch)
Date: 2001-10-25 20:21

Message:
Logged In: YES 
user_id=18573

RTFM.  Lots of data on this in the FAQ, snort.conf and the
SnortUsersGuide.  Hint: look for portscan-ignorehosts.


----------------------------------------------------------------------

Comment By: John Draper (crunch)
Date: 2001-10-24 14:36

Message:
Logged In: YES 
user_id=61606

I forgot to add my Email addy.    

crunch at ...904...

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=474643&group_id=3357




More information about the Snort-devel mailing list