[Snort-users] False positives with UDP Portscan PROTO255

Mike Lieberman Mike at ...12324...
Sat Mar 5 15:18:34 EST 2005

I have doubts about some of the messages I am getting from Snort (using
rules for 2.3). For instance the following portscan message is from
ns1.sprintlink.net to ns1.netwright.net. We see DNS server to DNS Server
traffic labeled as port scans. In the case below, unless Sprint's primary
name server ( as well as many others from [have]) has been compromised,
these 'portscans' would actually have to be something related to BIND.


[**] [122:17:0] (portscan) UDP Portscan [**]

03/04-20:49:34.062746 ->

PROTO255 TTL:0 TOS:0x0 ID:44289 IpLen:20 DgmLen:162


ns1.sprintlink.net []


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050305/61f38d09/attachment.html>

More information about the Snort-users mailing list