spp_portscan warning on snort
From: mw (@)Date: 06/27/02
- Next message: drumstik: "Re: Back Orifice - RedHat 7 [Update]"
- Previous message: RainbowHat: "Re: ulimit and coredumps"
- Next in thread: RainbowHat: "Re: spp_portscan warning on snort"
- Reply: RainbowHat: "Re: spp_portscan warning on snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: mw <marsw @ subdimension . cXXXXm> Date: Thu, 27 Jun 2002 21:59:42 +0200
Hello there
I'm using snort as an IDS on a simple dialup connection (which is sometimes
connected for many hours), and I'm constantly getting the following type of
messages in /var/log/snort/alert (roughly once every 5 or 6 seconds):
[**] [100:2:1] spp_portscan: portscan status from XX.XX.XX.XX: 1 connections
across 1 hosts: TCP(1), UDP(0) [**]
06/27-21:32:34.093552
[**] [100:2:1] spp_portscan: portscan status from XX.XX.XX.XX: 2 connections
across 2 hosts: TCP(2), UDP(0) [**]
06/27-21:35:40.063173
Sometimes I also get the following message (or similar):
[**] [1:499:1] MISC Large ICMP Packet [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
06/27-21:37:22.631173 XX.XX.XX.XX -> YY.YY.YY.YY
ICMP TTL:255 TOS:0x0 ID:26676 IpLen:20 DgmLen:1500
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
[Xref => http://www.whitehats.com/info/IDS246]
XX.XX.XX.XX is always the local IP number that I'm assigned when I connect
to my provider, and YY.YY.YY.YY some host I'm connected to (right now it's
an IP of an ftp site I'm downloading gnome 2.0 from, for example)
I'm using the default SuSE 8.0 firewall setting for dialup connections (no
services to the outside), and all ports show up as closed on those free
portscan services that can be found on certain websites. I've used snort
before (using the default rules file) and it only showed warnings once in a
while (once a week at most).
Does anyone know what's going on?
Thanks in advance,
MW.
- Next message: drumstik: "Re: Back Orifice - RedHat 7 [Update]"
- Previous message: RainbowHat: "Re: ulimit and coredumps"
- Next in thread: RainbowHat: "Re: spp_portscan warning on snort"
- Reply: RainbowHat: "Re: spp_portscan warning on snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
