Also, the target IP is slashdot's ip... --- Bruce Banner <[EMAIL PROTECTED]> wrote: > It doesn't look like anything to worry about they > are > false positives leaving your network. Your network > is > a private network 192.168.1.x and the false attacks > are you hitting a dns probably your dns and your > network hitting a website. 192.168.1 is a private > network range that means they are unroutable on the > public internet unless statically routed. I would > say > they are false positives. When running nmap run it > on > your eth0 interface as opposed to your loopback this > can give different results. check your home_net and > dns server entries in snort.conf. > > > There is a script in cron.weekly that starts lpd > once > a week. > --- Patrick Albuquerque <[EMAIL PROTECTED]> wrote: > > Hello, > > > > Anyone have an idea why I'm a portscanner? > > I'm running unstable, dsl thru a router. > > > > Some sample snort output: > > > > [**] [117:1:1] (spp_portscan2) Portscan detected > > from 192.168.1.1: 6 > > targets 6 ports in 19 seconds > > [**] > > 07/13-15:11:32.418841 192.168.1.1:32769 -> > > 198.32.64.12:53 > > UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:71 DF > > Len: 43 > > > > [**] [117:1:1] (spp_portscan2) Portscan detected > > from 192.168.1.1: 6 > > targets 6 ports in 52 seconds > > [**] > > 07/13-15:25:53.462024 192.168.1.1:34869 -> > > 66.35.250.150:80 > > TCP TTL:64 TOS:0x0 ID:45297 IpLen:20 DgmLen:60 DF > > ******S* Seq: 0x51642A4F Ack: 0x0 Win: 0x16D0 > > TcpLen: 40 > > TCP Options (5) => MSS: 1460 SackOK TS: 1350334 0 > > NOP WS: 0 > > > > whois says these particular targets are > > OrgName: Exchange Point Blocks > > OrgName: Cable & Wireless > > and I have no connection to them AFAICT. > > > > nmap localhost says: > > Starting nmap 3.27 ( www.insecure.org/nmap/ ) at > > 2003-07-13 20:25 CDT > > Interesting ports on loopback (127.0.0.1): > > (The 1618 ports scanned but not shown below are in > > state: closed) > > Port State Service > > 22/tcp open ssh > > 25/tcp open smtp > > 53/tcp open domain > > 111/tcp open sunrpc > > 953/tcp open rndc > > > > Also, every now and then, I notice lpd running. I > > don't have a printer, > > and lpd is not in /etc/rc2.d > > > > Sorry, but I'm pretty ignorant regarding > > network/security issues. > > > > Is it time to panic yet? > > > > Thanks for any advice. > > > > Patrick. > > > > > > -- > > To UNSUBSCRIBE, email to > > [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > __________________________________ > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! > http://sbc.yahoo.com > > > -- > To UNSUBSCRIBE, email to > [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] >
__________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
