snort - ip in report don't appear in log

To: debian-user <debian-user@lists.debian.org>
Subject: snort - ip in report don't appear in log
From: Micha Feigin <michf@math.tau.ac.il>
Date: 17 Aug 2003 00:13:50 +0300
Message-id: <[🔎] 1061068430.22152.34.camel@litshi.luna.local>

I get a daily report from snort which claims all sort of
ICMP Destination Unreachable (Communication Administratively Prohibited)
and
(spp_portscan2) Portscan detected from 132.66.40.250: 21 targets 21
ports in 1 seconds
The IPs appearing in this report don't apear in any of the
/var/log/{messages|kern.log|syslog}.
The ICMP connections are incoming (does this message mean they were
dropped on something else was done with them).
The strange thing is that the portscans seem to originate from my
computer according to snort, although I didn't run any portscans.
Also, some of the connections reported are from and to IPs unrelated to
the network I am on.
This traffic always accures behind the university firewall, on my local
IP there.
What do these messages mean and should I be alarmed?
I am running shorewall and if I understood the settings correctly it
should allow all outgoing traffic and incoming traffic to ftp and ssh
only from 2 specific subnets, and all traffic to mldonkey ports
(although I should probably block those since the uni firewall is
blocking them also anyway).

Reply to:

Prev by Date: Re: telnet localhost slow, telnet 127.0.0.1 ok
Next by Date: Re: Named Pipes
Previous by thread: wflogs - wrong filter expression
Next by thread: Web script
Index(es):
- Date
- Thread