[Snort-users] Portscan 2 question

Robby Desmond rdesmond at ...6547...
Thu Oct 24 13:37:14 EDT 2002

At 11:22 AM 10/24/02 -0600, you wrote:
>I have a weird problem with 2 entries in my ACID database. Apparently,
>my server did a port scan on a remote machine. The problem is that no
>one here initiated a port scan. The database lists my server IP as the
>source and lists a dest IP. This is listed as a spp_portscan2. Does the
>new snort scan other machines on the Internet? I don't want any issues
>with other services because they think I'm port scanning their network.

Are you, by chance, running DNS?

You should add your DNS servers to the list of portscan2-ignorehosts, 
otherwise you will get this sort of activity.

If you are not running DNS, then check the "lasts" command to see who has 
been on your system. (Or who has been appearing as someone on your system.)


Robert Desmond
Systems Administrator
UCSB Extended Learning Services

More information about the Snort-users mailing list