Don't understand this one.
I installed IPCOP on our LAN last Thursday. To test it out I ran an
NMAP portscan on it to see what it would do/say.
Can't say as it DID anything, but it did record the ping of one of the
ports in the IDS Log.
Yet, strangely, it's recording an NMAP attempt every 20 minutes SINCE
Date: 05/16 14:22:35 Name: ICMP PING NMAP
Priority: 2 Type: Attempted Information Leak
IP info: 192.168.1.4:n/a -> 192.168.1.101:n/a
References: none found SID: 469
I looked in /var/log/snort/alert on IPCOP, and the messages are in
I did a
# ps aux | grep nmap
on the original PC (192.168.1.4) and there's no entry.
Why does IPCOP think it's STILL being portscanned by that machine?
What can I do to investigate it further?
Thanks for any help.