Ghosting IDS Log entries in IPCOP.

Ghosting IDS Log entries in IPCOP.

Post by n.. » Wed, 18 May 2005 04:42:25

Don't understand this one.
I installed IPCOP on our LAN last Thursday. To test it out I ran an
NMAP portscan on it to see what it would do/say.
Can't say as it DID anything, but it did record the ping of one of the
ports in the IDS Log.

Yet, strangely, it's recording an NMAP attempt every 20 minutes SINCE
Entries like:

Date:   05/16 14:22:35  Name:   ICMP PING NMAP
Priority:       2       Type:   Attempted Information Leak
IP info: ->
References:     none found      SID:    469

I looked in /var/log/snort/alert on IPCOP, and the messages are in
I did a
# ps aux | grep nmap
on the original PC ( and there's no entry.

Why does IPCOP think it's STILL being portscanned by that machine?
What can I do to investigate it further?

Thanks for any help.


1. Need HELP to Log User Log-ins form the internet


I've setup a FreeBSD 4.1.1-STABLE box to connect a network to the internet
with natd and ipfw firewall.
I've also setup the FreeBSD box to let teleworkers log in with FTP and

Now I would like to log FTP and telnet Log-in's from teleworkers who connect
to the machine from the internet.
I woul like to see the time and IP numer from which users Log-in.

I have looked at the /var/log/messages file but this only shows SU Login's.

All help is greatly appriciated!


2. E. Becchetti

3. Several entries in log into one entry, how?

4. Radio networking links

5. sco-list: Q: ghost entries during ls -l

6. Looking for SVGALib for PPC

7. Apache Logs : wrong entries in log files

8. RH 6.1 & Sounblaster problem

9. "ghost"/dupe SCSI disk alternative to Ghost?

10. User logged out but ghost left behind ........

11. too many entries too many entries too mant entries in the KDE menu

12. How to get /dev entry from id number

13. what's the defference module ID and module's entry point?