It doesn't look like anything to worry about they are false positives leaving your network. Your network is a private network 192.168.1.x and the false attacks are you hitting a dns probably your dns and your network hitting a website. 192.168.1 is a private network range that means they are unroutable on the public internet unless statically routed. I would say they are false positives. When running nmap run it on your eth0 interface as opposed to your loopback this can give different results. check your home_net and dns server entries in snort.conf.
There is a script in cron.weekly that starts lpd once a week. --- Patrick Albuquerque <[EMAIL PROTECTED]> wrote: > Hello, > > Anyone have an idea why I'm a portscanner? > I'm running unstable, dsl thru a router. > > Some sample snort output: > > [**] [117:1:1] (spp_portscan2) Portscan detected > from 192.168.1.1: 6 > targets 6 ports in 19 seconds > [**] > 07/13-15:11:32.418841 192.168.1.1:32769 -> > 198.32.64.12:53 > UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:71 DF > Len: 43 > > [**] [117:1:1] (spp_portscan2) Portscan detected > from 192.168.1.1: 6 > targets 6 ports in 52 seconds > [**] > 07/13-15:25:53.462024 192.168.1.1:34869 -> > 66.35.250.150:80 > TCP TTL:64 TOS:0x0 ID:45297 IpLen:20 DgmLen:60 DF > ******S* Seq: 0x51642A4F Ack: 0x0 Win: 0x16D0 > TcpLen: 40 > TCP Options (5) => MSS: 1460 SackOK TS: 1350334 0 > NOP WS: 0 > > whois says these particular targets are > OrgName: Exchange Point Blocks > OrgName: Cable & Wireless > and I have no connection to them AFAICT. > > nmap localhost says: > Starting nmap 3.27 ( www.insecure.org/nmap/ ) at > 2003-07-13 20:25 CDT > Interesting ports on loopback (127.0.0.1): > (The 1618 ports scanned but not shown below are in > state: closed) > Port State Service > 22/tcp open ssh > 25/tcp open smtp > 53/tcp open domain > 111/tcp open sunrpc > 953/tcp open rndc > > Also, every now and then, I notice lpd running. I > don't have a printer, > and lpd is not in /etc/rc2.d > > Sorry, but I'm pretty ignorant regarding > network/security issues. > > Is it time to panic yet? > > Thanks for any advice. > > Patrick. > > > -- > To UNSUBSCRIBE, email to > [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
