Snort mailing list archives
Re: portscan2 false positives from web browsing
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 19 Aug 2003 15:56:39 -0400
At 03:28 PM 8/18/2003 -0700, Ricky Charlet wrote:
Howdy,(I think) If I browse any web site which has banner adds, then the portscan2 preprosessor alarms with someting like:=========cut =========Aug 18 15:21:05 dsl081-066-008 snort: [117:1:1] (spp_portscan2) Portscan detected from <MY_IP_ADDRESS>: 6 targets 6 ports in 13 seconds {TCP} <MY_IP_ADDRESS>:56541 -> <ADDRESS_OF_BANNER_ADD_SERVER?>:80=========paste=============This produces a lot of false positive "portscan detected" events in my logs. Is there a way to ignore portscans ORIGINATING from my host AND targeted to port 80?
Yep, that's exactly what portscan2 should do.. in general, you probably want to ignore your local machines with a portscan2_ignorehosts statement.
Also, opening any page with a large number of small images can cause a browser to literally open hundreds of http connections in a 1 second time period. This makes it appear to portscan2 that said machines are doing a scan. It's completely impractical to use portscan2 without anything on the ignore list.
------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? From careers in IT to Engineering to Tech Sales, Dice has tech jobs from the best hiring companies. http://www.dice.com/index.epl?rel_code=104 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan2 false positives from web browsing Ricky Charlet (Aug 19)
- Re: portscan2 false positives from web browsing Matt Kettler (Aug 19)
- Re: portscan2 false positives from web browsing Erek Adams (Aug 19)