[Snort-users] Portscan 2 question

Robby Desmond rdesmond at ...6547...
Thu Oct 24 13:37:14 EDT 2002


At 11:22 AM 10/24/02 -0600, you wrote:
>I have a weird problem with 2 entries in my ACID database. Apparently,
>my server did a port scan on a remote machine. The problem is that no
>one here initiated a port scan. The database lists my server IP as the
>source and lists a dest IP. This is listed as a spp_portscan2. Does the
>new snort scan other machines on the Internet? I don't want any issues
>with other services because they think I'm port scanning their network.
>
>Thanks
>
>Joe

Are you, by chance, running DNS?

You should add your DNS servers to the list of portscan2-ignorehosts, 
otherwise you will get this sort of activity.

If you are not running DNS, then check the "lasts" command to see who has 
been on your system. (Or who has been appearing as someone on your system.)

-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906





More information about the Snort-users mailing list