[Snort-users] Confused about rules and logs

b311b-snort at ...6044... b311b-snort at ...6044...
Sun May 9 16:29:00 EDT 2004


I'm running snort version 1.7 on a NetBSD Firewall.  I start it with -D -c /usr/local/share/snort/rules.conf -s.  I got my rules file from http://whitehats.com/ids/ and my local network is 192.168.2.0/24.

Everything seems to work ok, but I have one Doze box that is constantly generating 1000's of entries per day to /var/log/snort/log that look like this:

[**] spp_portscan: portscan status from 192.168.2.252: 3 connections across 3 hosts: TCP(0), UDP(3) [**]

There's a series of new log messages generated once every 7 or 8 seconds.  I have other Doze boxes on the network that do not generate these messages.  The PC that's generating the messages has been scanned for viruses and spyware... and I've shut down all non-critical processes and they just keep coming.  There are no alerts.  How do I go about figuring out what's generating these messages?  And if they're harmless, how do I fix things so they're not logged?

Thanks.

Brenda Bell
Henniker (the only one on earth)
New Hampshire (the state with 5 seasons: black fly, tourist, foliage, ski and mud)






More information about the Snort-users mailing list