[Snort-users] Portscan 2 question
jgiles at ...6534...
Thu Oct 24 11:16:04 EDT 2002
I also checked the history files of the 5 users I do have and nothing in
there indicates that nmap or nessus or any other scanner was ran. And
there was no sudo or su command initiated.
On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
> At 11:22 AM 10/24/02 -0600, you wrote:
> >I have a weird problem with 2 entries in my ACID database. Apparently,
> >my server did a port scan on a remote machine. The problem is that no
> >one here initiated a port scan. The database lists my server IP as the
> >source and lists a dest IP. This is listed as a spp_portscan2. Does the
> >new snort scan other machines on the Internet? I don't want any issues
> >with other services because they think I'm port scanning their network.
> Are you, by chance, running DNS?
> You should add your DNS servers to the list of portscan2-ignorehosts,
> otherwise you will get this sort of activity.
> If you are not running DNS, then check the "lasts" command to see who has
> been on your system. (Or who has been appearing as someone on your system.)
> Robert Desmond
> Systems Administrator
> UCSB Extended Learning Services
More information about the Snort-users