Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Portscan from own interface

From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Thu, 10 May 2001 10:37:24 +0100
Actually no ideas, but I strongly advise you to put some anti-spoof measures
on your border router in order to eliminate any possibility of spoofing.
Logging those packets might be a good idea too.

Fernando

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/




I noticed someting stange in the snort-log file. I got a portscan
from the
external interface from my firewall. Normally the offending hosts
is logged,
but now my external ip is listed.

What can be the cause? Spoofing of some kind?
The next line are only a few from the messages log.

May 10 09:01:01 proxy snort[17307]: spp_portscan: portscan status from
x.x.x.x: 2 connections across 2 hosts: TCP(1), UDP(1)
May 10 09:01:05 proxy snort[17307]: spp_portscan: portscan status from
x.x.x.x: 1 connections across 1 hosts: TCP(0), UDP(1)
May 10 09:01:15 proxy last message repeated 2 times

x.x.x.x is the ip of the external interface.
I'm running snort 1.8 beta on redhat 7.0 i386

Any idea's?

Patrick

--
 ZZzz   |\      _,,,---,,_
        /,`.-'`'                 -.  ;-;;,_
       |,4-  ) )-,_..;\ (  `'-'
      '---''(_/--'  `-'\_)

The slogan from the irs:
We've got what it takes to take what you've got!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: