Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spp_portscan2 proxy alerts

From: Erek Adams <erek () snort org>
Date: Tue, 14 Jan 2003 02:05:02 -0500 (EST)
On Mon, 13 Jan 2003 gr8dane2 () bellsouth net wrote:


If this message gets posted twice, I'm sorry, I accidently sent it from
a different address and it got held.  (Ok, I'll drink!)


Damn....  And I thought I was gonna get someone on that new one!  ;-)



Hello, I'm trying to eliminate some false alerts and I know this one has
been discussed, but I seem to be finding conflicting information and
would like to know what your thoughts are.  First, my setup:


[...excellent info snipped...]


I get about 10 or 12 an hour.  I have found many references to this
situation.  I have followed much of the advice, but seem to find myself
chasing my tail.  I have configured spp_portscan to ignore hosts and
specified my BM, but this had no effect on portscan2.  I have put the
same ignore hosts command for the portscan2 as someone had suggested,
but that didn't work either.  The only thing I haven't tried yet, was
someone suggested downloading his personal code that would allow you to
do an ignore ports setting for portscan2.  It involves compiling the
software which I am unfamiliar with.  That's why I used the binary on
Windows.  Not to mention, I am a little weary about trusting such a
situation.  Any help would be greatly appreciated!  Also, thank you all
for contributing so much!  The archives have already solved many
problems for me.


I'm not a Code God, or even a Code Demi-God.  :)  But, IIRC, the
ignorehosts in portscan2 is a bit broken.  :-/  I'll have to have a look
at it and pray I understand it.  ;-)

You might want to try using this [0] to ignore things from a host.  It
works very well on a *NIX or *BSD platform

Good luck!  Take care!

-----
Erek Adams

   "When things get weird, the wierd turn pro."   H.S. Thompson


[0]     http://www.theadamsfamily.net/~erek/snort/


-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: