OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: alexus (mldb.nexgen.com)
Date: Wed Jun 20 2001 - 00:37:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    i figured it out:) never mind thanks

    ----- Original Message -----
    From: "Joe McAlerney" <joeySiliconDefense.com>
    To: "alexus" <mldb.nexgen.com>
    Cc: <Snort-userslists.sourceforge.net>
    Sent: Tuesday, June 19, 2001 7:36 PM
    Subject: Re: [Snort-users] snort detects portscan?

    > The portscan preprocessor is detecting "stealth" packets. They will be
    > alerted on regardless of whether or not you have the source host defined
    > in portscan-ignorehosts. There are some good examples of why this
    > occurs in the archives of this mailing list. Most recently, it is
    > caused by ENC packets with Linux 2.4 kernels.
    >
    > -Joe M.
    >
    > --
    > | Joe McAlerney joeysilicondefense.com |
    > | Silicon Defense - Technical Support for Snort |
    > | http://www.silicondefense.com/ |
    > +-- --+
    >
    > alexus wrote:
    > >
    > > un 19 19:05:26 box snort: spp_portscan: portscan status from
    216.27.143.184:
    > > 2 connections across 1 hosts: TCP(1), UDP(1) STEALTH
    > > Jun 19 19:05:26 box /kernel: Jun 19 19:05:26 box snort: spp_portscan:
    > > portscan status from 216.27.143.184: 2 connections across 1 hosts:
    TCP(1),
    > > UDP(1) STEALTH
    > > Jun 19 19:05:30 box snort: spp_portscan: End of portscan from
    > > 216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1) STEALTH
    > > Jun 19 19:05:30 box /kernel: Jun 19 19:05:30 box snort: spp_portscan:
    End of
    > > portscan from 216.27.143.184: TOTAL time(1s) hosts(1) TCP(1) UDP(1)
    STEALTH
    > >
    > > i'm geting this in my syslog like every other 10 minutes.. i know that
    ip is
    > > not portscaning me 'cause i wouldn't portscan myself:)
    > >
    > > any ideas what could cause that?
    > >
    > > as far as i can tell i do have a bit of communication between my box and
    > > that pc .. that's dns .. but then again why is it doing every 10
    minutes?
    > > and in snort.conf i put into var DNS_SERVERS i put this ip..
    > >
    > > _______________________________________________
    > > Snort-users mailing list
    > > Snort-userslists.sourceforge.net
    > > Go to this URL to change user options or unsubscribe:
    > > http://lists.sourceforge.net/lists/listinfo/snort-users
    > > Snort-users list archive:
    > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-userslists.sourceforge.net
    > Go to this URL to change user options or unsubscribe:
    > http://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    http://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users