Snort mailing list archives
RE: Portscan 2 question
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Thu, 24 Oct 2002 14:33:24 -0400
it's 'last' and again, *any* service allowing ephemeral ports may cause this not just DNS. cheers, John -----Original Message----- From: Joe Giles [mailto:jgiles () joeman1 com] Sent: Thursday, October 24, 2002 2:13 PM To: Robby Desmond Cc: Snort-List Subject: Re: [Snort-users] Portscan 2 question Well, I'm not RUNNING a DNS server, but I use one. My ISP's DNS... Should I add that to the list? Also, I don't seem to have the 'lasts' command. What package is that part of? Thanks for the reply Joe On Thu, 2002-10-24 at 12:03, Robby Desmond wrote:
At 11:22 AM 10/24/02 -0600, you wrote:I have a weird problem with 2 entries in my ACID database. Apparently, my server did a port scan on a remote machine. The problem is that no one here initiated a port scan. The database lists my server IP as the source and lists a dest IP. This is listed as a spp_portscan2. Does the new snort scan other machines on the Internet? I don't want any issues with other services because they think I'm port scanning their network. Thanks JoeAre you, by chance, running DNS? You should add your DNS servers to the list of portscan2-ignorehosts, otherwise you will get this sort of activity. If you are not running DNS, then check the "lasts" command to see who has been on your system. (Or who has been appearing as someone on your
system.)
-Robby Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906
------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Is this a valid rule?, (continued)
- Re: Is this a valid rule? Alberto Gonzalez (Oct 24)
- Re: Portscan 2 question Robby Desmond (Oct 24)
- Re: Portscan 2 question Joe Giles (Oct 24)
- Re: Portscan 2 question Joe Giles (Oct 24)
- Re: Portscan 2 question Gary Verhulp (Oct 24)
- Message not available
- Re: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Soren Macbeth (Oct 24)
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Soren Macbeth (Oct 24)
- RE: Portscan 2 question Hicks, John (Oct 24)
- RE: Portscan 2 question Joe Giles (Oct 24)
- RE: Portscan 2 question Brian F. Vaughan (Oct 24)