Snort mailing list archives
Re: Snort 1.9 and spp_portscan2
From: Erek Adams <erek () snort org>
Date: Mon, 3 Mar 2003 08:53:38 -0500 (EST)
On Sun, 2 Mar 2003, Vlad Gavrila wrote:
I have recently installed Snort 1.9 on a Linux box that also acts as a proxy and dns server for my lan. After having it run for a few hours, I found many portscan logs targeted against my server, that have the source port either 80 or 53. I know that these come from sequential response to either http or dns requests. My problem is blocking those connections that are using 80 or 53 as their source port. Is there a way to solve this?
If you look at the traffic, you should see that it's coming from websites that you surf and visit. Since you're using a proxy, all web requests on the 'inside' must go thru the proxy to get 'outside'. Look at some of the traffic. I'm sure you'll see that it's just normal web and/or DNS traffic. If you want to ignore traffic, you have two options [0]. Both have the potential to open a hole in your security, so be cautious. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.theadamsfamily.net/~erek/snort/ignore.txt ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.9 and spp_portscan2 Vlad Gavrila (Mar 02)
- Re: Snort 1.9 and spp_portscan2 Erek Adams (Mar 03)
- Re: Snort 1.9 and spp_portscan2 Vlad Gavrila (Mar 03)
- <Possible follow-ups>
- Re:Snort 1.9 and spp_portscan2 Always Bishan (Mar 03)
- Re: Snort 1.9 and spp_portscan2 Erek Adams (Mar 03)