Snort mailing list archives
portscan false alerts on NFS & ftp
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Sat, 2 Jun 2001 15:49:33 -0700 (PDT)
Is there a way to disable the portscan for NFS data transfers ? I recently had a slightly embarrassing automatic alert sent to a collaborating institution by my reporter script, triggered off a legitimate NFS transfer as below. I have since fixed my script to ignore source port 2049 but maybe it is/should be ignorable in SNort ? (I know NFS across the Internet is deprecated, but we've been doing it for years and it's Gb of non-sensitive data ... too difficult to change everything...) Jun 2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:719 UDP Jun 2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:721 UDP Jun 2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:723 UDP Jun 2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:725 UDP Jun 2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:603 UDP Jun 2 01:27:08 x.y.36.33:2049 -> 142.90.a.b:605 UDP On a similar vein I sometimes get scan alerts off big ftp data transfers. I suspect that the snort system is losing some packets if it sees a SYN only, or maybe the net's congested or something. Difficult to test. I'd been ignoring scans to unprivileged ports in my script, but maybe I should ignore source port 20. Again, can one ignore this in Snort ? May 29 09:43:18 137.138.24.190:20 -> 142.90.100.68:2519 SYN ******S* May 29 09:43:27 137.138.24.190:20 -> 142.90.100.68:2520 SYN ******S* May 29 09:43:53 137.138.24.190:20 -> 142.90.100.68:2521 SYN ******S* May 29 09:44:08 137.138.24.190:20 -> 142.90.100.68:2522 SYN ******S* May 29 09:44:15 137.138.24.190:20 -> 142.90.100.68:2523 SYN ******S* May 29 09:44:58 137.138.24.190:20 -> 142.90.100.68:2526 SYN ******S* May 29 09:46:36 137.138.24.190:20 -> 142.90.100.68:2527 SYN ******S* -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan false alerts on NFS & ftp Andrew Daviel (Jun 02)