Snort mailing list archives
RE: Portscan from own interface
From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Thu, 10 May 2001 10:37:24 +0100
Actually no ideas, but I strongly advise you to put some anti-spoof measures on your border router in order to eliminate any possibility of spoofing. Logging those packets might be a good idea too. Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardoso () whatevernet com http://www.whatevernet.com/
I noticed someting stange in the snort-log file. I got a portscan from the external interface from my firewall. Normally the offending hosts is logged, but now my external ip is listed. What can be the cause? Spoofing of some kind? The next line are only a few from the messages log. May 10 09:01:01 proxy snort[17307]: spp_portscan: portscan status from x.x.x.x: 2 connections across 2 hosts: TCP(1), UDP(1) May 10 09:01:05 proxy snort[17307]: spp_portscan: portscan status from x.x.x.x: 1 connections across 1 hosts: TCP(0), UDP(1) May 10 09:01:15 proxy last message repeated 2 times x.x.x.x is the ip of the external interface. I'm running snort 1.8 beta on redhat 7.0 i386 Any idea's? Patrick -- ZZzz |\ _,,,---,,_ /,`.-'`' -. ;-;;,_ |,4- ) )-,_..;\ ( `'-' '---''(_/--' `-'\_) The slogan from the irs: We've got what it takes to take what you've got! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. --------------------------------------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan from own interface Midnight shadow (May 10)
- RE: Portscan from own interface Fernando Cardoso (May 10)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Subba Rao (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- Re: Portscan from own interface Midnight shadow (May 16)
- RE: Portscan from own interface John Berkers (May 16)