Re: how to disable spp_porscan?

[robe () alfa21 com (Roberto Suarez Soto)]

On Dec/18, Chris Green wrote:

> Ok, lets move to theory two.  How are you running snort? What command
> line options?  Where does this snort.conf you reference live?

        This is the command line of snort: (taken directly from "ps")

/usr/sbin/snort -D -c /etc/snort/snort.conf -l /var/log/snort -b -d -u snort
-g snort -s -i eth0 -o

        The snort.conf file, as you can see, lies in /etc/snort. I'm using
snort 1.8.3, "repackaged" from Debian 1.8p1 (i.e., I used the "templates" in
Debian's snort 1.8p1 package and tweaked them to fit 1.8.3). This same package
is working in another machine perfectly, but this another machine has a more
simple network setup (it's not a firewall, just a "monitor box"). 

        Anyway, could it be an error from my part when building snort? Could
it be that having multiple IPs in the same interface confuses snort? :-?

        I'm attaching the config file used, with IP addresses "obfuscated". As
you can see, almost is by default, only a few things are changed. The
"XX.XX.XX.XX" and "YY.YY.YY.YY" addresses are "consistent" with my prior
message, in the sense that are the same that are giving false portscan
positives.

-- 
Roberto Suarez Soto                                     Alfa21 Outsourcing
    robe () alfa21 com                               http://www.alfa21.com

Attachment: snort.conf
Description: