Snort mailing list archives
Re: Portscan: ignoreports option
From: Jon Hart <jhart () ccs neu edu>
Date: Sat, 9 Feb 2002 15:36:51 -0500
On Fri, Feb 08, 2002 at 09:46:45AM -0000, Andy Leigh wrote:
Folks, You can put a list into portscan_ignorehosts, but what would be very handy would be to have an option "portscan_ignoreports". In a large infrastructure with a lot of clients waking up and trying to find NetBIOS shares and BDCs, there's a lot of portscan noise all on the 138 and 139 ports. Is there an option or tweak I'm missing?
I had mentioned this some time back (maybe over the summer sometime?). In my case, I really need to ignore scans that are generated from ftp traffic. We mirror a large number of sites, and we also get mirrored from time to time. The majority of this is done via anonymous ftp. The portscan logs can get quite unruley when the mirroring happens, but I at least know that snort is doing its job. What I need is a way to ignore traffic that is generated from a mirroring. I portscan-ignoreports would do the trick. The problem is that you may just be shooting yourself in the foot with a directive like this. If I had "portscan-ignoreports: 20" in my config file, all an attacker would have to do to evade my IDS would be to send traffic from port 20. Thats assuming an ignoreports directive would only apply to one of src_port or dst_port, but even that is open to debate. Unless someone beats me to it, I'll plan on getting something together that ignores certain ports once classes die down a bit. -jon _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan: ignoreports option Andy Leigh (Feb 08)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Erek Adams (Feb 09)
- Re: Portscan: ignoreports option Jon Hart (Feb 09)
- <Possible follow-ups>
- RE: Portscan: ignoreports option Andy Leigh (Feb 10)
- RE: Portscan: ignoreports option Erek Adams (Feb 10)