RC2 AMD and snort strangness



  • 2.0-RC2 (amd64)
    built on Thu May 12 17:58:58 EDT 2011

    Ever since upgrading to RC2 my snort logs are filling up with alerts smiler to the below,

    1 3 PROTO:255 (portscan) ICMP Filtered Sweep Prep 91.xxx.xx.2 empty -> 91.xxx.xx.1 empty 122:26:0

    91.xxx.xx.2 is the wan interface of the PFSense box and 91.xxx.xx.1 is the interface of a hardened FreeBSd server in front of it which is acting as a quagga router. While this is annoying they are only directed at hosts controlled by this organisation and therefore I can live with the problem short term. However some of the entries are not to hosts we control e.g.
    15 3 PROTO:255 (portscan) ICMP Filtered Sweep Prep 91.xxx.xx.2 empty -> 85.233.160.130 empty 122:26:0

    This sort of entry accounts for about 10% of the couple of 100 events generated in the last 12 hours and my concern is that an IDS on the remote host will see this as a possible attack originating from our sites and block access.

    So does anyone know if this is a fault with snort on RC2 or has some strangeness crept into the base code that is causing this behaviour. I'll have to seriously considering reverting back to RC1 if we start getting blocked by remote IDS hosts.


Log in to reply