Snort mailing list archives
RE: Snort portscan false positives?
From: "Beckett, Josh" <JBeckett () enviance com>
Date: Wed, 9 Oct 2002 15:04:51 -0700
That would depend on sensor placement. Example of my own configuration stumble... Sensor's listening interface was placed outside of the firewall, but I was using $HOME_NET value of IP's behind the firewall. Well, from the sensor's perspective, the private IP's were never seen since the firewall did NAT, and the alerts were all messed up. The sensor doesn't ignore it, but you do have to remember what the sensor is capable of seeing due to its placement in the architecture. -----Original Message----- From: Felipe Alfaro Solana [mailto:snort () felipe-alfaro com] Sent: Wednesday, October 09, 2002 2:40 PM To: Erek Adams Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort portscan false positives? You say ps2 has no idea what my HOME_NET is... I have defined HOME_NET on my "snort.conf" file as "var HOME_NET 192.168.0.0/24". Does ps2 ignore the value of this variable? On Wed, 2002-10-09 at 22:00, Erek Adams wrote:
The reason that portscan2 is flagging that as a scan is there are 'more than x connections to y targets.' Since ps2 has no idea of what
your HOME_NET is, it sees the connections and flags them, even though they are coming from you. Just define portscan2-ignorehosts with your IP and all should be well. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort portscan false positives? Felipe Alfaro Solana (Oct 09)
- Re: Snort portscan false positives? Erek Adams (Oct 09)
- Re: Snort portscan false positives? Felipe Alfaro Solana (Oct 09)
- Re: Snort portscan false positives? Erek Adams (Oct 09)
- Re: Snort portscan false positives? Bob Van Cleef (Oct 10)
- Re: Snort portscan false positives? Felipe Alfaro Solana (Oct 09)
- Re: Snort portscan false positives? Erek Adams (Oct 09)
- <Possible follow-ups>
- RE: Snort portscan false positives? Beckett, Josh (Oct 09)