Snort mailing list archives
Re: spp_portscan2 proxy alerts
From: Erek Adams <erek () snort org>
Date: Tue, 14 Jan 2003 02:05:02 -0500 (EST)
On Mon, 13 Jan 2003 gr8dane2 () bellsouth net wrote:
If this message gets posted twice, I'm sorry, I accidently sent it from a different address and it got held. (Ok, I'll drink!)
Damn.... And I thought I was gonna get someone on that new one! ;-)
Hello, I'm trying to eliminate some false alerts and I know this one has been discussed, but I seem to be finding conflicting information and would like to know what your thoughts are. First, my setup:
[...excellent info snipped...]
I get about 10 or 12 an hour. I have found many references to this situation. I have followed much of the advice, but seem to find myself chasing my tail. I have configured spp_portscan to ignore hosts and specified my BM, but this had no effect on portscan2. I have put the same ignore hosts command for the portscan2 as someone had suggested, but that didn't work either. The only thing I haven't tried yet, was someone suggested downloading his personal code that would allow you to do an ignore ports setting for portscan2. It involves compiling the software which I am unfamiliar with. That's why I used the binary on Windows. Not to mention, I am a little weary about trusting such a situation. Any help would be greatly appreciated! Also, thank you all for contributing so much! The archives have already solved many problems for me.
I'm not a Code God, or even a Code Demi-God. :) But, IIRC, the ignorehosts in portscan2 is a bit broken. :-/ I'll have to have a look at it and pray I understand it. ;-) You might want to try using this [0] to ignore things from a host. It works very well on a *NIX or *BSD platform Good luck! Take care! ----- Erek Adams "When things get weird, the wierd turn pro." H.S. Thompson [0] http://www.theadamsfamily.net/~erek/snort/ ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan2 proxy alerts gr8dane2 (Jan 13)
- RE: spp_portscan2 proxy alerts Dane Howard (Jan 13)
- Re: spp_portscan2 proxy alerts Erek Adams (Jan 13)
- DNS on Log Messsages? Mike Koponick (Jan 14)
- Re: DNS on Log Messsages? Erek Adams (Jan 14)
- Re: DNS on Log Messsages? spy guy (Jan 15)
- DNS on Log Messsages? Mike Koponick (Jan 14)