Snort mailing list archives
Re: Portscan2...
From: Tobias Rice <rice () up edu>
Date: Sat, 22 Mar 2003 11:16:07 -0800 (PST)
Thanks you all for your responses! FYI, I am not scanning my server locally, I'm using a workstation. I'll try a BPF fileter and update you later. Thanks again! On Sat, 22 Mar 2003, Erek Adams wrote:
On Sat, 22 Mar 2003, Tobias Rice wrote:I'm using portscan2, and I'm getting many alerts from myself: (spp_portscan2) Portscan detected from 111.222.333.444: 21 targets 21 ports in 0 seconds (names changed to protect the innocent) Mostly DNS lookup I think (port 53)53 UDP for lookups, TCP 53 for zone x-fers.So, how do I prevent this? I tried this: preprocessor portscan2-ignorehosts: 111.222.333.444 and now I don't get any alerts when I'm portscanned.It's working exactly as it should. Ignore host 111.222.333.444 with regards to any type of portscan. It should only ignore it as the source, not as the dest. I can't speak on that 100% without looking thru the code. If you're scanning yourself from that same box, then that is the expected behavior. I'd suggest using something like grc.com for a remote scan.I want to ignore alerts from 111.222.333.444 port 53 and 5060, (or any scans coming FROM me) yet still detect all other incoming scans.Use a BPF filter. not host 111.222.333.444 and not port (53 or 5060) Only problem with this is that if you have a dynamic IP, you'll have to redo the filter with each IP change. Granted a little scripting and this becomes a non-issue. :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Erek Adams (Mar 22)
- Re: Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Erek Adams (Mar 22)
- Re: Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Erek Adams (Mar 22)
- Re: Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Alberto Gonzalez (Mar 22)
- Re: Portscan2... Alberto Gonzalez (Mar 22)
- Re: Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Erek Adams (Mar 22)
- Re: Portscan2... Jim Burwell (Mar 22)
- Re: Portscan2... Erek Adams (Mar 23)
- Re: Portscan2... Jim Burwell (Mar 23)