[Snort-users] Portscan from own interface

Midnight shadow p.selder at ...2006...
Thu May 10 03:44:29 EDT 2001


I noticed someting stange in the snort-log file. I got a portscan from the 
external interface from my firewall. Normally the offending hosts is logged, 
but now my external ip is listed.

What can be the cause? Spoofing of some kind?
The next line are only a few from the messages log.

May 10 09:01:01 proxy snort[17307]: spp_portscan: portscan status from 
x.x.x.x: 2 connections across 2 hosts: TCP(1), UDP(1)
May 10 09:01:05 proxy snort[17307]: spp_portscan: portscan status from 
x.x.x.x: 1 connections across 1 hosts: TCP(0), UDP(1)
May 10 09:01:15 proxy last message repeated 2 times

x.x.x.x is the ip of the external interface.
I'm running snort 1.8 beta on redhat 7.0 i386

Any idea's?

Patrick

-- 
 ZZzz   |\      _,,,---,,_
        /,`.-'`'                 -.  ;-;;,_
       |,4-  ) )-,_..;\ (  `'-'
      '---''(_/--'  `-'\_)

The slogan from the irs:
We've got what it takes to take what you've got!




More information about the Snort-users mailing list