Snort mailing list archives
Re: scan.log file
From: Scott Fringer <fringsm () is2 hsnet ufl edu>
Date: Tue, 11 Feb 2003 07:38:53 -0500 (EST)
Jon, spp_portscan2 generates the traffic that ends up in scan.log. So, yes, it should be portscan traffic that gets there. If you are seeing legitimate traffic ending up there, try adding the following to your snort.conf: preprocessor portscan2-ignorehosts: [hosts-to-ignore] <follows the same arguments as most variables, i.e. HOME_NET, etc.> That should keep them from showing up (though I've heard mixed results on the list, it does work for me here) Scott Scott Fringer Shands Healthcare @ U.F. Technical Analyst II Gainesville, FL On Mon, 10 Feb 2003, John S wrote:
Can anyone tell me what triggers an alert to the scan.log file? Is it just port scans? I am seeing alot of legitimate dns queries being logged in that file. What are people doing to reduce these false positives? Thanks!
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- scan.log file John S (Feb 10)
- Re: scan.log file Scott Fringer (Feb 11)