Snort mailing list archives
Re: portscans of the broadcast address?
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 11 Oct 2002 17:26:08 -0700 (PDT)
On Fri, 11 Oct 2002, Bob Van Cleef wrote:
I am seeing these false positives. I suspect they may be rwhod broadcasts, but am not how to verify this and where I would block them in the configuration files. [**] [117:1:1] (spp_portscan2) Portscan detected from 192.86.7.22: 6 targets 6 ports in 50 seconds [**] 10/11-15:50:18.538938 192.86.7.22:513 -> 192.86.7.255:513 UDP TTL:64 TOS:0x0 ID:17338 IpLen:20 DgmLen:88 Len: 68
Depends on how you want to ignore them. There are generally two ways to 'ignore' things in snort: BPF filters and Pass rules.[0] Since this is coming from the portscan2 preprocessor, you could also use portscan2-ignorehosts. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net [0] http://www.theadamsfamily.net/~erek/snort/ignore.txt ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscans of the broadcast address? Bob Van Cleef (Oct 11)
- Re: portscans of the broadcast address? Alberto Gonzalez (Oct 11)
- Re: portscans of the broadcast address? Erek Adams (Oct 11)