Snort mailing list archives
Re: Preprocessor PortScan2 is not doing what it.....
From: Alberto Gonzalez <albertg () wwjh net>
Date: Sat, 15 Mar 2003 01:35:20 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
Hello { yawn... }
I ran into a problem with "preprocessor portscan2",My snort.conf file is below. When i add eth0_ADDRESS to: preprocessor portscan2-ignorehosts: $DNS_SERVERS $eth0_ADDRESS SNORT starts PROPERLY and it stops alerting the webtraffic, "thats what i want", BUT it also STOPS alerting me for PORTSCANS i checked this twice, once with it on the line and once with out it and when it wasnt there it LOGGED MY PORT SCANS **(SOO im not sure what to try now to get rid of the WEBTRAFFIC but still LOG PORTSCANS???)**
When you put $eth0_ADDRESS into ignorehosts, you're telling spp_portscan2 to ignore all portscans from that host. So outbound portscans (web-traffic) will be ignored. Which is what you want. I don't know if it matches for both source and destination, or either or, so I can't verify that putting $eth0_ADDRESS might ignore ALL traffic. What you might want to try is adding a pass rule, or using bpf filters in a file or in the command line to ignore web-traffic while still logging portscans via spp_portscan2. preprocessor portscan2-ignorehosts: 68.50.189.203/32 is my configuration, and I still see portscans. Try adding CIDR notation to it? Here is an example for illustration: snort <command line options> 'not port 80 && not port 443 && not host x.x.x.x'
[snort] (spp_portscan2) Portscan detected from 152.175.40.197: 1 targets 16 ports in 6 seconds 2003-03-14 21:52:08 152.175.40.197:35456 152.175.60.183:20 TCP #1-(2-1624) [snort] (spp_portscan2) Portscan detected from 152.175.40.197: 1 targets 16 ports in 12 seconds 2003-03-14 21:51:14 152.175.40.197:35453 152.175.60.183:19 TCP #2-(2-1623) [snort] (spp_portscan2) Portscan detected from 152.175.40.197: 2 targets 16 ports in 18 seconds 2003-03-14 21:50:38 152.175.40.197:35453 152.175.60.183:1 TCP
Cheers, Alberto Gonzalez - -- "Success comes to the person who does today, what you are thinking of doing tomorrow." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+csmra3vAB/3yp/IRAq+7AJwIeqndo4NWIfK8XGp6KuUErS/K0wCgsJ2Z 9npvHVq8SBOV6YMs3qpCOx8= =mGc2 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Preprocessor PortScan2 is not doing what it..... mike Hughes (Mar 14)
- Re: Preprocessor PortScan2 is not doing what it..... Alberto Gonzalez (Mar 14)