Snort mailing list archives

Portscan2, where port !=X

From: "Jade E. Deane" <jade.deane () riven net>
Date: 30 Aug 2003 21:55:33 -0500

Is it possible to ignore a scan using portscan2, where the source port
is X?

Example:
07/06/03-17:55:19.708517  TCP src: 168.103.115.138 dst: 10.0.47.3 sport:
443 dport: 49399 tgts: 1 ports: 60 flags: ***A**S* event_id: 108
07/06/03-17:55:20.136362  TCP src: 168.103.115.138 dst: 10.0.47.3 sport:
443 dport: 39705 tgts: 1 ports: 61 flags: ***A**S* event_id: 108
07/06/03-17:55:20.268826  TCP src: 168.103.115.138 dst: 10.0.47.3 sport:
443 dport: 49401 tgts: 1 ports: 62 flags: ***A**S* event_id: 108
Etc...

I'd like to ignore any scans where the remote host's source port is 80
or 443.

Regards,
Jade


-- 

PGP Public Key:  http://www.riven.net/~moose/key.asc

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Portscan2, where port !=X Jade E. Deane (Aug 30)
- Re: Portscan2, where port !=X Matt Kettler (Aug 31)
  - Re: Portscan2, where port !=X Jade E. Deane (Aug 31)
    - Re: Portscan2, where port !=X Matt Kettler (Aug 31)