[Snort-users] snort detects portscan?

alexus ml at ...1718...
Wed Jun 20 10:18:40 EDT 2001


oh okay.. heh sorry:)

what i found out is that by accident when i was removing one domain from my
dns .. i only removed on master ns and didnt remove on slave.. and slave was
trying to connect to master to get this zone.. and somehow bind consider it
as a portscan (weird).. but after i removed this zone from slave those
messages no longer appears..

----- Original Message -----
From: "Phil Wood" <cpw at ...440...>
To: "alexus" <ml at ...1718...>
Sent: Wednesday, June 20, 2001 9:37 AM
Subject: Re: [Snort-users] snort detects portscan?


> On Wed, Jun 20, 2001 at 01:37:29AM -0400, alexus wrote:
> > i figured it out:) never mind thanks
>
> It might help others if you share with the list what you figured out.
>
> >
> > ----- Original Message -----
> > From: "Joe McAlerney" <joey at ...47...>
> > To: "alexus" <ml at ...1718...>
> > Cc: <Snort-users at lists.sourceforge.net>
> > Sent: Tuesday, June 19, 2001 7:36 PM
> > Subject: Re: [Snort-users] snort detects portscan?
> >
> >
> > > The portscan preprocessor is detecting "stealth" packets.  They will
be
> > > alerted on regardless of whether or not you have the source host
defined
> > > in portscan-ignorehosts.  There are some good examples of why this
> > > occurs in the archives of this mailing list.  Most recently, it is
> > > caused by ENC packets with Linux 2.4 kernels.
> > >
> > > -Joe M.
> > >
> > > --
> > > |   Joe McAlerney     joey at ...155...   |
> > > | Silicon Defense - Technical Support for Snort |
> > > |       http://www.silicondefense.com/          |
> > > +--                                           --+
> > >
> > > alexus wrote:
> > > >
> > > > un 19 19:05:26 box snort: spp_portscan: portscan status from
> > 216.27.143.184:
> > > > 2 connections across 1 hosts: TCP(1), UDP(1) STEALTH
> > > > Jun 19 19:05:26 box /kernel: Jun 19 19:05:26 box snort:
spp_portscan:
> > > > portscan status from 216.27.143.184: 2 connections across 1 hosts:
> > TCP(1),
> > > > UDP(1) STEALTH
> > > > Jun 19 19:05:30 box snort: spp_portscan: End of portscan from
> > > > 216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1) STEALTH
> > > > Jun 19 19:05:30 box /kernel: Jun 19 19:05:30 box snort:
spp_portscan:
> > End of
> > > > portscan from 216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1)
> > STEALTH
> > > >
> > > > i'm geting this in my syslog like every other 10 minutes.. i know
that
> > ip is
> > > > not portscaning me 'cause i wouldn't portscan myself:)
> > > >
> > > > any ideas what could cause that?
> > > >
> > > > as far as i can tell i do have a bit of communication between my box
and
> > > > that pc .. that's dns .. but then again why is it doing every 10
> > minutes?
> > > > and in snort.conf i put into var DNS_SERVERS i put this ip..
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Phil Wood, cpw at ...440...
>
>





More information about the Snort-users mailing list