[Snort-users] Portscan 2 question

Hicks, John JHicks at ...5857...
Thu Oct 24 11:45:13 EDT 2002

it's 'last' and again, *any* service allowing ephemeral ports may cause this
not just DNS.


-----Original Message-----
From: Joe Giles [mailto:jgiles at ...6534...]
Sent: Thursday, October 24, 2002 2:13 PM
To: Robby Desmond
Cc: Snort-List
Subject: Re: [Snort-users] Portscan 2 question

Well, I'm not RUNNING a DNS server, but I use one. My ISP's DNS...
Should I add that to the list? 

Also, I don't seem to have the 'lasts' command. What package is that
part of?

Thanks for the reply


On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
> At 11:22 AM 10/24/02 -0600, you wrote:
> >I have a weird problem with 2 entries in my ACID database. Apparently,
> >my server did a port scan on a remote machine. The problem is that no
> >one here initiated a port scan. The database lists my server IP as the
> >source and lists a dest IP. This is listed as a spp_portscan2. Does the
> >new snort scan other machines on the Internet? I don't want any issues
> >with other services because they think I'm port scanning their network.
> >
> >Thanks
> >
> >Joe
> Are you, by chance, running DNS?
> You should add your DNS servers to the list of portscan2-ignorehosts, 
> otherwise you will get this sort of activity.
> If you are not running DNS, then check the "lasts" command to see who has 
> been on your system. (Or who has been appearing as someone on your
> -Robby
> Robert Desmond
> Systems Administrator
> UCSB Extended Learning Services
> 805-893-4906

This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list