[Snort-users] Snort, Queso and iptables

Juergen Fiedler juergen at ...3730...
Tue Oct 9 08:11:13 EDT 2001


Hello,

Just about every other day, snort reports a 'Possible Queso
Fingerprint attempt' from a machine at kernel.org (most frequently
mirrors.kernel.org). This is puzzling to me for several reasons:

With whitehats.com being down, I was unable to determine what a Queso
Fingerprint is. Looks like some probe of my auth port, but I have no
idea what it is actually trying to do.

I believe that the people at kernel.org are good and righteous. Why
would they try to probe my auth port.

Port 113 should be hidden behind my iptables firewall. In fact, I
tried to connect to this port from the outside and was unsuccessful.
Does snort actually analyze packets before they hit iptables? That
seems somewhat weird.

Could anyone please shed some light on one or more of my questions?

Thanks in advance,
Juergen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011009/65e73fb1/attachment.sig>


More information about the Snort-users mailing list