[Snort-users] snort upgrade and odd logs

barry Barry.Haycock at ...7203...
Thu Oct 17 07:16:52 EDT 2002

i have just upgrade snort from 1.8.6 to 1.9.0 along with all the 
oppropriate rule files
the upgrade went fine and i created a new snort.conf file.

but what i have seen since the upgrade and i cannot resolve is traffic that 
is classed as internal is appearing
in the log files and within acid.

i have set ( and these are examples only)
var HOME_NET [,]

what i am seeing is what the system is reporting as port scans coming from 
webservers in the address space to hosts outside. snort is 
reporting that these portscans are being done
from port 443/53 amongst other ports. now port 443 is being used for ssl on 
these same machines.
plus i am seeing smnp traffic that is talking between hosts on both 
subnets. this traffic should be there but
according to the rules as above i shouldn't be seeing it.

i have checked the rule for snmp and it states that anything from external 
-> internal

i have scanned the machines for a root kit and haven't found anything. all 
of these machines are behind a firewall that only speciffic ports open to 
the hosts.

any ideas?


More information about the Snort-users mailing list