[Snort-devel] [ snort-Bugs-474645 ] Getting false portscan alerts from DNS

noreply at ...12... noreply at ...12...
Thu Oct 25 20:33:12 EDT 2001


Bugs item #474645, was opened at 2001-10-24 14:39
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=474645&group_id=3357

Category: None
Group: None
>Status: Closed
>Resolution: Rejected
Priority: 5
Submitted By: John Draper (crunch)
>Assigned to: Martin Roesch (roesch)
Summary: Getting false portscan alerts from DNS

Initial Comment:
Not sure if this is a bog or a feature,   or just a 
mess-up on my part.

I'm getting a log ot "spp_portscan" alerts that seem 
to have no bearing on portscans,  and seem to be 
coming in from DNS queries.

Is this a normal thing?    Is there a way to identify 
which snort rule might be causing this?

This is the alert I'm getting:

[**] [100:2:1] spp_portscan: portscan status from 
209.142.36.244: 5 connections 
across 5 hosts: TCP(0), UDP(5) [**]
10/24-13:57:58.390971 

Could someone please explain this to me?

John

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=474645&group_id=3357




More information about the Snort-devel mailing list