Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 1.9 and spp_portscan2

From: Erek Adams <erek () snort org>
Date: Mon, 3 Mar 2003 08:53:38 -0500 (EST)
On Sun, 2 Mar 2003, Vlad Gavrila wrote:


I have recently installed Snort 1.9 on a Linux box that also acts as a
proxy and dns server for my lan.

After having it run for a few hours, I found many portscan logs targeted
against my server, that have the source port either 80 or 53. I know
that these come from sequential response to either http or dns requests.

My problem is blocking those connections that are using 80 or 53 as
their source port. Is there a way to solve this?


If you look at the traffic, you should see that it's coming from websites
that you surf and visit.  Since you're using a proxy, all web requests on
the 'inside' must go thru the proxy to get 'outside'.  Look at some of the
traffic.  I'm sure you'll see that it's just normal web and/or DNS
traffic.

If you want to ignore traffic, you have two options [0].  Both have the
potential to open a hole in your security, so be cautious.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.theadamsfamily.net/~erek/snort/ignore.txt


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: