[Snort-users] portscans from

larosa, vjay larosa_vjay at ...3331...
Thu Jan 30 13:04:02 EST 2003

My tcp Q access rule on my border IDS'es have been firing like mad. There
is a discussion in the intrusions at ...2034... mailing list concerning
Everybody is boggled as to what might be causing it.


-----Original Message-----
From: twig les [mailto:twigles at ...131...]
Sent: Thursday, January 30, 2003 3:40 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] portscans from

Hey all, I have seriously debated whether I should
send this since it may or may not be off-topic; it's
just too bizarre to tell.  My border routers are
sysloging this:

bdr-acl-in denied tcp ->

The acl is named correctly - these hits are coming
from the outside.  They hit random IPs in our range
like NMAP, and they always target a high port coming
from 80.  I would assume they are from a LAN upstream
since only routers doing stupid things forward
broadcasts.  The implications of this coming from our
upstream provider are quite large since we peer via
dual /30s.

It isn't crucial to my security (we don't let those
shenanigans in the border), but does snort see this as
bad traffic?  I did a quick "grep *"
in the snortrules dir and only came up with a couple
of snmp rules.  I would like to know if I should write
a rule for this since I only caught this by accident
this time.

Know yourself and know your enemy and you will never fear defeat.         

Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.

This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list