Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RC2 AMD and snort strangness

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    1 Posts 1 Posters 942 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gloom
      last edited by

      2.0-RC2 (amd64)
      built on Thu May 12 17:58:58 EDT 2011

      Ever since upgrading to RC2 my snort logs are filling up with alerts smiler to the below,

      1 3 PROTO:255 (portscan) ICMP Filtered Sweep Prep 91.xxx.xx.2 empty -> 91.xxx.xx.1 empty 122:26:0

      91.xxx.xx.2 is the wan interface of the PFSense box and 91.xxx.xx.1 is the interface of a hardened FreeBSd server in front of it which is acting as a quagga router. While this is annoying they are only directed at hosts controlled by this organisation and therefore I can live with the problem short term. However some of the entries are not to hosts we control e.g.
      15 3 PROTO:255 (portscan) ICMP Filtered Sweep Prep 91.xxx.xx.2 empty -> 85.233.160.130 empty 122:26:0

      This sort of entry accounts for about 10% of the couple of 100 events generated in the last 12 hours and my concern is that an IDS on the remote host will see this as a possible attack originating from our sites and block access.

      So does anyone know if this is a fault with snort on RC2 or has some strangeness crept into the base code that is causing this behaviour. I'll have to seriously considering reverting back to RC1 if we start getting blocked by remote IDS hosts.

      Never underestimate the power of human stupidity

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.