Snort mailing list archives
RE: How to tell spp_portscan2 procesor to ignore ICMP events?
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Tue, 23 Sep 2003 10:23:07 -0500
Survey says: preprocessor conversation: allowed_ip_protocols 6 17, <rest of conversation config>..... The allowed_ip_protocols part followed by the protocols you want to watch (separated by spaces). 1 = ICMP 6 = TCP 17 = UDP -----Original Message----- From: Jose Vicente Nunez Z [mailto:josevnz () newbreak com] Sent: Monday, September 22, 2003 8:04 AM To: snort-users () lists sourceforge net Subject: [Snort-users] How to tell spp_portscan2 procesor to ignore ICMP events? Greetings, Because of the last Microsoft virus, my snort sensor keeps reporting the ICMP scans as portscans: Info: (spp_portscan2) Portscan detected from 216.159.9.41: 6 targets 6 ports in 0 seconds Reference: Ofender: 216.159.9.41 Afected: XX.YY.ZZ.WW Impact: 1 Reporter: 192.168.0.251 Time sent: Monday, September 22, 2003 8:56:26 AM EDT Severity: Indeterminate Checking the snort log files i found this: 09/22-08:56:26.700768 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AA type: 8 code: 0 tgts: 6 event_id: 0 09/22-08:56:26.703816 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AB type: 8 code: 0 tgts: 7 event_id: 17330 09/22-08:56:26.718633 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AC type: 8 code: 0 tgts: 8 event_id: 17330 09/22-08:56:26.720693 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AD type: 8 code: 0 tgts: 9 event_id: 17330 09/22-08:56:26.734783 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AE type: 8 code: 0 tgts: 10 event_id: 17330 09/22-08:56:26.746651 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AF type: 8 code: 0 tgts: 11 event_id: 17330 09/22-08:56:26.766505 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AG type: 8 code: 0 tgts: 12 event_id: 17330 09/22-08:56:26.789508 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AN type: 8 code: 0 tgts: 13 event_id: 17330 I have no hope than the victims will ever install and antivirus to fix the problem and because our network is well protected i just want to ignore this type of ICMP scans. I checked the parameters for the spp_portscan plugin, but no idea how to fix the issue. Before i was getting the "Cyberkit ICMP" alerts, but i took those down too. Does anyone else experimented the same problem? Thanks in advance, -- Jose Vicente Nunez Zuleta (josevnz at newbreak dot com) Newbreak LLC System Administrator http://www.newbreak.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to tell spp_portscan2 procesor to ignore ICMP events? Jose Vicente Nunez Z (Sep 22)
- <Possible follow-ups>
- RE: How to tell spp_portscan2 procesor to ignore ICMP events? Kreimendahl, Chad J (Sep 23)
- RE: How to tell spp_portscan2 procesor to ignore ICMP events? Jose Vicente Nunez Z (Sep 24)