[Snort-users] Portscan from own interface

Subba Rao subba9 at ...530...
Wed May 16 01:37:33 EDT 2001


On  0, Midnight shadow <p.selder at ...2006...> wrote:
> 
> I noticed someting stange in the snort-log file. I got a portscan from the 
> external interface from my firewall. Normally the offending hosts is logged, 
> but now my external ip is listed.
> 
> What can be the cause? Spoofing of some kind?
> The next line are only a few from the messages log.
> 
> May 10 09:01:01 proxy snort[17307]: spp_portscan: portscan status from 
> x.x.x.x: 2 connections across 2 hosts: TCP(1), UDP(1)
> May 10 09:01:05 proxy snort[17307]: spp_portscan: portscan status from 
> x.x.x.x: 1 connections across 1 hosts: TCP(0), UDP(1)
> May 10 09:01:15 proxy last message repeated 2 times
> 
> x.x.x.x is the ip of the external interface.
> I'm running snort 1.8 beta on redhat 7.0 i386
> 

I am seeing similar messages in my snort logs. I hope it is only spoofing and
not that my machine has been compromised.

[**] spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(1), UDP(0) [**]
05/16-05:19:37.397711 

How can I set up anti-spoofing controls on my machine?

TIA.

-- 

Subba Rao
subba9 at ...530...
http://members.home.net/subba9/

GPG public key ID 27FC9217




More information about the Snort-users mailing list