[Snort-users] Snort portscan

Thai-Hai DINH Thai-Hai.Dinh at ...1231...
Tue Jan 30 03:27:15 EST 2001


Hello,

Since I've installed the snort 1.6.3, I receive usually the following mail
log messages.
The add IP 999.223.8.x is our DNS Solaris server, add. IP 999.223.4.z is our
DNS our second DNS solaris server, the 999.223.8.y is the machine on which
snort is running,
Could someone explain me why snort displays the message: "PING-ICMP
Destination Unreachable: 999.223.8.y -> 999.223.8.x" even the both two
machines are up and response the ping command in interactive mode?
(- I'm new user with this network tools.:-)
Any help will be appreciated.
Thank you.


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan 29 19:00:02 cisun27 snort[3682]: [ID 702911 auth.alert] spp_portscan:
PORTSCAN DETECTED from 999.223.8.x (THRESHOLD 3 connections exceeded in 0
seconds)
Jan 29 19:02:16 cisun27 snort[3682]: [ID 702911 auth.alert] spp_portscan:
portscan status from 999.223.8.y: 5 connections across 1 hosts: TCP(1),
UDP(4)
Jan 29 19:03:46 cisun27 snort[3682]: [ID 702911 auth.alert] spp_portscan:
portscan status from 999.223.8.y: 1 connections across 1 hosts: TCP(0),
UDP(1)
Jan 29 19:05:16 cisun27 last message repeated 1 time
Jan 29 19:05:36 cisun27 snort[3682]: [ID 702911 auth.alert] spp_portscan:
End of portscan from 999.223.8.y: TOTAL time(315s) hosts(1) TCP(1) UDP(6)
Jan 29 19:32:16 cisun27 snort[3682]: [ID 244969 auth.alert] PING-ICMP
Destination Unreachable: 999.223.8.y -> 999.223.8.x
Jan 29 19:35:16 cisun27 last message repeated 1 time
Jan 29 19:41:16 cisun27 snort[3682]: [ID 244969 auth.alert] PING-ICMP
Destination Unreachable: 999.223.8.y -> 999.223.8.x
Jan 29 19:42:46 cisun27 last message repeated 1 time
Jan 29 19:47:16 cisun27 snort[3682]: [ID 244969 auth.alert] PING-ICMP
Destination Unreachable: 999.223.8.y -> 999.223.8.x
Jan 29 19:47:16 cisun27 snort[3682]: [ID 244969 auth.alert] PING-ICMP
Destination Unreachable: 999.223.8.x -> 999.223.4.z
Jan 29 19:48:46 cisun27 snort[3682]: [ID 244969 auth.alert] PING-ICMP
Destination Unreachable: 999.223.8.y -> 999.223.8.y



  Avec mes meilleures salutations

  Thai-Hai DINH
  University of Lausanne              Computer Center / Security
  Rte de Chavannes, 33                1007 Lausanne - Switzerland
  mailto:thai-hai.dinh at ...1231...     http://www.unil.ch/ci
  tel: ++ 41 21 692 22 12             fax: ++ 41 21 692 22 05






More information about the Snort-users mailing list