Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Portscan2 woes

From: "Robin Brown" <robin_brown () totalcomm com>
Date: Fri, 2 May 2003 12:04:27 -0400
I'd like to use it, but I keep getting alerted on what looks like normal
return web traffic:

05/02-08:27:27.107257 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80
dport: 47493 tgts: 1 ports: 11 flags: ***A**S* event_id: 0
05/02-08:27:27.108731 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80
dport: 47494 tgts: 1 ports: 12 flags: ***A**S* event_id: 110167
05/02-08:28:03.059478 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80
dport: 47484 tgts: 1 ports: 11 flags: ***A*R** event_id: 0

I have the snort distribution provided by Demarc as they have their own
set of patches for use with a database:
-*> Snort! <*-
Version 2.0.0-db (Build 72)

Snort.conf settings:
preprocessor conversation: allowed_ip_protocols 1 6 7 50 51 47, timeout
60, max_conversations 32000

preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit
5, port_limit 20, timeout 60

preprocessor portscan2-ignorehosts: 10.10.10.0/24

I also tried to use the alert_odd_protocols in the conversation
preprocessor, but that generated alerts on what appeared to be normal
UDP traffic.

Any hints?


Thanks and regards,
Robin




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: