5. RC2 AMD and snort strangness

RC2 AMD and snort strangness

  • G

    2.0-RC2 (amd64)
    built on Thu May 12 17:58:58 EDT 2011

    Ever since upgrading to RC2 my snort logs are filling up with alerts smiler to the below,

    1 3 PROTO:255 (portscan) ICMP Filtered Sweep Prep 91.xxx.xx.2 empty -> 91.xxx.xx.1 empty 122:26:0

    91.xxx.xx.2 is the wan interface of the PFSense box and 91.xxx.xx.1 is the interface of a hardened FreeBSd server in front of it which is acting as a quagga router. While this is annoying they are only directed at hosts controlled by this organisation and therefore I can live with the problem short term. However some of the entries are not to hosts we control e.g.
    15 3 PROTO:255 (portscan) ICMP Filtered Sweep Prep 91.xxx.xx.2 empty -> 85.233.160.130 empty 122:26:0

    This sort of entry accounts for about 10% of the couple of 100 events generated in the last 12 hours and my concern is that an IDS on the remote host will see this as a possible attack originating from our sites and block access.

    So does anyone know if this is a fault with snort on RC2 or has some strangeness crept into the base code that is causing this behaviour. I'll have to seriously considering reverting back to RC1 if we start getting blocked by remote IDS hosts.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy