On Sun, Jul 13, 2003 at 07:42:29PM -0700, Bruce Banner wrote: > It doesn't look like anything to worry about they are > false positives leaving your network. Your network is > a private network 192.168.1.x and the false attacks > are you hitting a dns probably your dns and your > network hitting a website. 192.168.1 is a private > network range that means they are unroutable on the > public internet unless statically routed. I would say > they are false positives. When running nmap run it on > your eth0 interface as opposed to your loopback this > can give different results. check your home_net and > dns server entries in snort.conf. >
Thanks, your explanation makes sense. I've taken a stab at configuring snort.conf -- I hadn't looked at it before. > > There is a script in cron.weekly that starts lpd once > a week. So there is! (This had me more worried than the port scans...) And good call about Slashdot -- I _was_ browsing there about that time, and I was scanning Exodus too. Thanks again for your help, Bruce. Patrick -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]