[Snort-users] False positives with UDP Portscan PROTO255
Mike at ...12324...
Sat Mar 5 15:18:34 EST 2005
I have doubts about some of the messages I am getting from Snort (using
rules for 2.3). For instance the following portscan message is from
ns1.sprintlink.net to ns1.netwright.net. We see DNS server to DNS Server
traffic labeled as port scans. In the case below, unless Sprint's primary
name server ( as well as many others from [have]) has been compromised,
these 'portscans' would actually have to be something related to BIND.
[**] [122:17:0] (portscan) UDP Portscan [**]
03/04-20:49:34.062746 22.214.171.124 -> 126.96.36.199
PROTO255 TTL:0 TOS:0x0 ID:44289 IpLen:20 DgmLen:162
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users