[Snort-users] HELP!

Noah Silverman noah at ...4048...
Fri Nov 9 08:11:11 EST 2001


I've set up snort on our network, but I can't seem to keep it from logging
alerts from our DNS machines.

I.e.

Our DNS server is 123.123.123.123

I put in the following rules:
pass icmp any any <> 123.123.123.123 any
pass tcp any any <> 123.123.123.123 any
pass udp any any <> 123.123.123.123 any

I still get TONS (thousands a day) of alerts like:

[**] spp_portscan: PORTSCAN DETECTED from 123.123.123.123 (THRESHOLD 4
connections exceeded in 14 seconds) [**]
11/09-11:06:28.270344

[**] spp_portscan: portscan status from 123.123.123.123: 7 connections
across 1 hosts: TCP(0), UDP(7) [**]

11/09-11:05:14.790329
[**] IDS246 - MISC - Large ICMP Packet [**]



ALSO: I have set up our home network, but still get alerts like the
following:

11/09-11:05:17.069534 789.789.789.789 -> 456.456.456.456
ICMP TTL:253 TOS:0x0 ID:30245 IpLen:20 DgmLen:1500 DF
Type:8  Code:0  ID:39612   Seq:57072  ECHO

The problem is that both of these machines (from the alert above) are on my
network.

HELP!!

-N





More information about the Snort-users mailing list