Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Preprocessor PortScan2 is not doing what it.....

From: Alberto Gonzalez <albertg () wwjh net>
Date: Sat, 15 Mar 2003 01:35:20 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Hello,


Hello { yawn... }



I ran into a problem with "preprocessor portscan2",My snort.conf file is 
below. When i add eth0_ADDRESS to:
preprocessor portscan2-ignorehosts: $DNS_SERVERS $eth0_ADDRESS

SNORT starts PROPERLY and it stops alerting the webtraffic, "thats what i 
want", BUT it also STOPS alerting me for PORTSCANS i checked this twice, 
once with it on the line and once with out it and when it wasnt there it 
LOGGED MY PORT SCANS **(SOO im not sure what to try now to get rid of the 
WEBTRAFFIC but still LOG PORTSCANS???)**


When you put $eth0_ADDRESS into ignorehosts, you're telling spp_portscan2 
to ignore all portscans from that host. So outbound portscans 
(web-traffic) will be ignored. Which is what you want. I don't know if it 
matches for both source and destination, or either or, so I can't verify 
that putting $eth0_ADDRESS might ignore ALL traffic.

What you might want to try is adding a pass rule, or using bpf filters in 
a file or in the command line to ignore web-traffic while still logging 
portscans via spp_portscan2.

preprocessor portscan2-ignorehosts: 68.50.189.203/32 is my configuration, 
and I still see portscans. Try adding CIDR notation to it?

Here is an example for illustration:

snort <command line options> 'not port 80 && not port 443 && not host x.x.x.x'


[snort] (spp_portscan2) Portscan detected from 152.175.40.197: 1 targets 16 
ports in 6 seconds        2003-03-14 21:52:08        152.175.40.197:35456    
     152.175.60.183:20        TCP
           #1-(2-1624)        [snort] (spp_portscan2) Portscan detected from 
152.175.40.197: 1 targets 16 ports in 12 seconds        2003-03-14 21:51:14  
       152.175.40.197:35453        152.175.60.183:19        TCP
           #2-(2-1623)        [snort] (spp_portscan2) Portscan detected from 
152.175.40.197: 2 targets 16 ports in 18 seconds        2003-03-14 21:50:38  
       152.175.40.197:35453        152.175.60.183:1        TCP



 Cheers,
 Alberto Gonzalez

- -- 
"Success comes to the person who does today, what you are thinking of doing tomorrow." 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+csmra3vAB/3yp/IRAq+7AJwIeqndo4NWIfK8XGp6KuUErS/K0wCgsJ2Z
9npvHVq8SBOV6YMs3qpCOx8=
=mGc2
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: