[Snort-users] Rule Config Question

Caruso, Ken ken.caruso at ...1122...
Wed Jan 10 23:33:38 EST 2001


I have snort installed on 4.0 Free BSD box, I am assuming that my problem is
related to a misconfiguration in my rule file, but I am little lost.

When I port scan (nmap) local host on the box that has snort installed, it
logs the port scan attempt as coming from my ISP's DNS server instead of the
IP addy of the machine I am on.

In the rule file I have the Home network var set to the ip of the network
interface on the box, I was not sure what the External var should be set to,
so I set it to the same value (local machines ip addy). What exactly is the
External Var supposed to be?

Details:

rule file has-
var HOME_NET x.x.x.231/32
var EXTERNAL_NET x.x.x.231/32

Alert log, from running an "nmap localhost" on the snort box reports:

[**] spp_portscan: PORTSCAN DETECTED from x.x.x.22 (THRESHOLD 3 connections
exceeded in 1 seconds) [**]
01/10-17:51:52.513852

The 22 address is the my ISP's DNS Server, how the heck does this happen?

Thanks in Advance

Ken Caruso




More information about the Snort-users mailing list