Re: [m0n0wall] Strange output in snort log

From:	Jason P Jones <jjones at integracon dot com>
To:	Eric Gregory <eric at gatewayconnections dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Strange output in snort log
Date:	Wed, 18 Aug 2004 14:15:32 -0400

You may want to change your $HOME variable to include your external IP
if it doesn't already (.233) and be sure to have the $DNSSERVERS
variable defined with your DNS servers, or else be sloppy and put them
into your $HOME. Look at what servers are showing up as portscanning you
and check if they are DNS servers that clients are using. You can also
increase the sppportscan2 limits higher- as it just detects how many
connections a given host to your external IP. DNS replys, IIS servers
trying to connect back, etc.. can generate traffic back to you that
users on the LAN initiate, and thus show up after a few subsequent NAT's
connections as portscans.




On Wed, 2004-08-18 at 12:03 -0500, Eric Gregory wrote:
> x.xxx.xxx.2
-- 

        Jason P Jones
        MCSE+I,MCT,CCNA,LCP,CCA,CNA,CIWA,INET+,Network+,A+
        Integracon Technologies
        865.382.7400