Snort mailing list archives
Re: how to disable spp_porscan?
From: robe () alfa21 com (Roberto Suarez Soto)
Date: Tue, 18 Dec 2001 20:10:36 +0100
On Dec/18, Steve Halligan wrote:
If you commented spp_portscan in snort.conf, the alerts you are seeing are NOT coming from it. More likely they are coming from snort itself, and you
Well, I wouldn't say so: Dec 18 19:55:51 seel snort[28989]: spp_portscan: PORTSCAN DETECTED from XX.XX.XX.XX (THRESHOLD 4 connections exceeded in 3 seconds) Dec 18 19:55:52 seel snort[28989]: spp_portscan: portscan status from YY.YY.YY.YY: 4 connections across 4 hosts: TCP(4), UDP(0) Dec 18 19:55:55 seel snort[28989]: spp_portscan: portscan status from XX.XX.XX.XX: 7 connections across 7 hosts: TCP(0), UDP(7) Dec 18 19:55:56 seel snort[28989]: spp_portscan: portscan status from YY.YY.YY.YY: 3 connections across 3 hosts: TCP(3), UDP(0) The "spp_portscan" string should mean that it's spp_portscan who's logging, isn't it? And besides, I have set up rules in /etc/snort/local-first that ignore everything from this host's addresses (and included this file in snort configuration, of course). So, I don't know exactly what it is, but I'm pretty sure that it's some spp_portscan related thing :-) And this is with *all* portscan-related config commented. Or at least I think so: host:~# grep portscan /etc/snort/snort.conf # if you want to ignore portscan false alarms from them... # detect various portscan types, fingerprinting, ECN, etc. # detect_scans - stream4 will detect stealth portscans and generate alerts # portscan: detect a variety of portscans # portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> #preprocessor portscan: $HOME_NET 4 3 portscan.log # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from #preprocessor portscan-ignorehosts: $DNS_SERVERS (I've "hidden" all IP addresses because I don't know if my bosses would like to show them all over the Internet O:-)) -- Roberto Suarez Soto Alfa21 Outsourcing robe () alfa21 com http://www.alfa21.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: how to disable spp_porscan?, (continued)
- Re: how to disable spp_porscan? Phil Wood (Dec 18)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 19)
- Re: how to disable spp_porscan? Phil Wood (Dec 19)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 20)
- Re: how to disable spp_porscan? Phil Wood (Dec 20)
- Re: how to disable spp_porscan? Phil Wood (Dec 20)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 21)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 18)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 18)
- Re: how to disable spp_porscan? Chris Green (Dec 18)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 19)
- Re: how to disable spp_porscan? Phil Wood (Dec 19)
- Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 20)