Snort mailing list archives
RE: spp_portscan2 proxy alerts
From: "Dane Howard" <Gr8Dane2 () bellsouth net>
Date: Mon, 13 Jan 2003 18:30:03 -0500
Ok, someone answered my question and I deleted it before responding. I did try the ssp_portscan2-ignore hosts. But, at the time I tested it I was using IDScenter. I quit using IDScenter due to a problem it has with the Stream4 (it doesn't disable the evasive scan alert). So, I went back and tested the ignore again and, sure enough, it works when not using IDScenter. So, beware, if you are using IDScenter and have problems with either of these scans, that is probably your problem. I have posted a comment on their website in regards to it. And don't get me wrong, I'm not doggin IDScenter. Otherwise it is a great program worth a look if your not using it now. Not to mention, it does a good job of the all-elusive automatic emailing of alerts! Thanks for your response. Thanks again, Dane -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of gr8dane2 () bellsouth net Sent: Monday, January 13, 2003 3:42 PM To: snort-users () lists sourceforge net Subject: [Snort-users] spp_portscan2 proxy alerts If this message gets posted twice, I'm sorry, I accidently sent it from a different address and it got held. (Ok, I'll drink!) Hello, I'm trying to eliminate some false alerts and I know this one has been discussed, but I seem to be finding conflicting information and would like to know what your thoughts are. First, my setup: Sensor: Snort 1.9.0 -Win32 binary dled from Snort.org running on a Windows XP system. It sits between a Novell BorderManager firewall and my Lan. It is logging the information to a MySql server. I also have another sensor outside the firewall, but I'm not concerned with that for this problem. Server: Windows XP runing MySql 3.23.54 and ACID 0.9.6 b23 on IIS 5.1. The BorderManager server is setup as a proxy. Therefore, I am getting the usual spp_portscan2 traffic: [snort] (spp_portscan2) Portscan detected from <BorderManager>: 1 targets 21 ports in 41 seconds I get about 10 or 12 an hour. I have found many references to this situation. I have followed much of the advice, but seem to find myself chasing my tail. I have configured spp_portscan to ignore hosts and specified my BM, but this had no effect on portscan2. I have put the same ignore hosts command for the portscan2 as someone had suggested, but that didn't work either. The only thing I haven't tried yet, was someone suggested downloading his personal code that would allow you to do an ignore ports setting for portscan2. It involves compiling the software which I am unfamiliar with. That's why I used the binary on Windows. Not to mention, I am a little weary about trusting such a situation. Any help would be greatly appreciated! Also, thank you all for contributing so much! The archives have already solved many problems for me. Dane Howard ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan2 proxy alerts gr8dane2 (Jan 13)
- RE: spp_portscan2 proxy alerts Dane Howard (Jan 13)
- Re: spp_portscan2 proxy alerts Erek Adams (Jan 13)
- DNS on Log Messsages? Mike Koponick (Jan 14)
- Re: DNS on Log Messsages? Erek Adams (Jan 14)
- Re: DNS on Log Messsages? spy guy (Jan 15)
- DNS on Log Messsages? Mike Koponick (Jan 14)