snort - ip in report don't appear in log
I get a daily report from snort which claims all sort of
ICMP Destination Unreachable (Communication Administratively Prohibited)
(spp_portscan2) Portscan detected from 126.96.36.199: 21 targets 21
ports in 1 seconds
The IPs appearing in this report don't apear in any of the
The ICMP connections are incoming (does this message mean they were
dropped on something else was done with them).
The strange thing is that the portscans seem to originate from my
computer according to snort, although I didn't run any portscans.
Also, some of the connections reported are from and to IPs unrelated to
the network I am on.
This traffic always accures behind the university firewall, on my local
What do these messages mean and should I be alarmed?
I am running shorewall and if I understood the settings correctly it
should allow all outgoing traffic and incoming traffic to ftp and ssh
only from 2 specific subnets, and all traffic to mldonkey ports
(although I should probably block those since the uni firewall is
blocking them also anyway).