[Snort-users] Portscan 2 question
rdesmond at ...6547...
Thu Oct 24 13:37:14 EDT 2002
At 11:22 AM 10/24/02 -0600, you wrote:
>I have a weird problem with 2 entries in my ACID database. Apparently,
>my server did a port scan on a remote machine. The problem is that no
>one here initiated a port scan. The database lists my server IP as the
>source and lists a dest IP. This is listed as a spp_portscan2. Does the
>new snort scan other machines on the Internet? I don't want any issues
>with other services because they think I'm port scanning their network.
Are you, by chance, running DNS?
You should add your DNS servers to the list of portscan2-ignorehosts,
otherwise you will get this sort of activity.
If you are not running DNS, then check the "lasts" command to see who has
been on your system. (Or who has been appearing as someone on your system.)
UCSB Extended Learning Services
More information about the Snort-users