|
|
|
|
Snort Forums Archive
Archive Home » Snort Advanced » (portscan) Open Port Raw IP problem with MySQL
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
(portscan) Open Port Raw IP problem with MySQL
Posted by renebouchard on July 15, 2005 11:30:02
Hi! I receive hundreds of snort alerts because of (portscan) OpenPort [Raw
IP]. It seem that my servers are exchanging small packets together. Apparently
you can not add an exception in preprocessors, do you know what I can do ?
Packets exchanges from my internal servers look like this :
Ver 4, Hdr Len 5, TOS 0, length 36,ID 0,flags 0,offset 0,TTL 0, chksum 57022
length = 16
000 : 4F 70 65 6E 20 50 6F 72 74 3A 20 33 33 30 36 0A Open Port: 3306.
I don't know why my servers are sending so much of them. I don't know how to
remove snort's alert about this, I don't even know why it is Raw IP...
can anybody help ?
thanks!!! |
|
Posted by chris on July 21, 2005 12:19:10
Hi rene, the servers sending the portscans are they sensors in your network or regular resource servers?
Are you logging snort alerts to a mysql database ?, if so, what type of connection to your mysql install are you using ? i.e. is it a persistent connection or not ?
cheers
Chris |
|
|
|
|
|
