[Snort-users] HELP!

Noah Silverman noah at ...4048...
Fri Nov 9 08:11:11 EST 2001

I've set up snort on our network, but I can't seem to keep it from logging
alerts from our DNS machines.


Our DNS server is

I put in the following rules:
pass icmp any any <> any
pass tcp any any <> any
pass udp any any <> any

I still get TONS (thousands a day) of alerts like:

[**] spp_portscan: PORTSCAN DETECTED from (THRESHOLD 4
connections exceeded in 14 seconds) [**]

[**] spp_portscan: portscan status from 7 connections
across 1 hosts: TCP(0), UDP(7) [**]

[**] IDS246 - MISC - Large ICMP Packet [**]

ALSO: I have set up our home network, but still get alerts like the

11/09-11:05:17.069534 789.789.789.789 -> 456.456.456.456
ICMP TTL:253 TOS:0x0 ID:30245 IpLen:20 DgmLen:1500 DF
Type:8  Code:0  ID:39612   Seq:57072  ECHO

The problem is that both of these machines (from the alert above) are on my



More information about the Snort-users mailing list