Snort mailing list archives

Re: Portscan2...

From: Tobias Rice <rice () up edu>
Date: Sat, 22 Mar 2003 11:16:07 -0800 (PST)

Thanks you all for your responses!
FYI, I am not scanning my server locally, I'm using a workstation.
I'll try a BPF fileter and update you later.
Thanks again!


On Sat, 22 Mar 2003, Erek Adams wrote:

On Sat, 22 Mar 2003, Tobias Rice wrote:

I'm using portscan2, and I'm getting many alerts from myself:
(spp_portscan2) Portscan detected from 111.222.333.444: 21 targets 21
ports in 0 seconds
(names changed to protect the innocent)

Mostly DNS lookup I think (port 53)


53 UDP for lookups, TCP 53 for zone x-fers.

So, how do I prevent this? I tried this:
preprocessor portscan2-ignorehosts: 111.222.333.444
and now I don't get any alerts when I'm portscanned.


It's working exactly as it should.  Ignore host 111.222.333.444 with
regards to any type of portscan.  It should only ignore it as the source,
not as the dest.  I can't speak on that 100% without looking thru the
code.  If you're scanning yourself from that same box, then that is the
expected behavior.  I'd suggest using something like grc.com for a remote
scan.

I want to ignore alerts from 111.222.333.444 port 53 and 5060, (or any
scans coming FROM me) yet still detect all other incoming scans.


Use a BPF filter.

      not host 111.222.333.444 and not port (53 or 5060)

Only problem with this is that if you have a dynamic IP, you'll have to
redo the filter with each IP change.  Granted a little scripting and this
becomes a non-issue.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Erek Adams (Mar 22)
  - Re: Portscan2... Tobias Rice (Mar 22)
    - Re: Portscan2... Erek Adams (Mar 22)
    - Re: Portscan2... Tobias Rice (Mar 22)
    - Re: Portscan2... Erek Adams (Mar 22)
    - Re: Portscan2... Tobias Rice (Mar 22)
    - Re: Portscan2... Alberto Gonzalez (Mar 22)
    - Re: Portscan2... Alberto Gonzalez (Mar 22)
    - Re: Portscan2... Jim Burwell (Mar 22)
    - Re: Portscan2... Erek Adams (Mar 23)
    - Re: Portscan2... Jim Burwell (Mar 23)
- Re: Portscan2... Shawn Duffy (Mar 22)