Snort mailing list archives
Re: sfPortscan - false positive
From: Izik Birka <Izik.Birka () hot net il>
Date: Sun, 21 Feb 2016 15:35:44 +0000
This is my configuration # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } \ ignore_scanners { IP,IP,IP } \ ignore_scanned { IP,IP/24,IP,IP/24, IP,IP,IP } \ scan_type { portscan } as you can see I configured scan_type and I start to Exclude IPs than I realize that it's going to be a hard work so I stast searching for better solution , what can I configured in the thresholding file ? I want for example to receive alert for 10 ports attempted scanned or more per ip - this will reduce a lot of my alerts... From: Y M [mailto:snort () outlook com] Sent: Sunday, February 21, 2016 4:33 PM To: Izik Birka <Izik.Birka () hot net il> Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] sfPortscan - false positive If you review the sfportscan configurations here: http://manual.snort.org/node79.html, you can specify the scan type and the scan sensitivity, watch, and ignore. Portsweep is different than port scan, is just an example. YM Sent from Mobile On Sun, Feb 21, 2016 at 6:28 AM -0800, "Izik Birka" <Izik.Birka () hot net il<mailto:Izik.Birka () hot net il>> wrote: How this data can help me ? if I can't change the ratio I continue to get false positive alerts Is there any way to configure the number of scanning attempt and the time period for alert to show ? In the past the command was bit different and I was able to configure it Example : Preprocessor portscan: 192.168.1.0/24 10 60 10 is the number of scanning attempt 60 is time period Thanks Izik Birka From: Y M [mailto:snort () outlook com] Sent: Sunday, February 21, 2016 4:20 PM To: Izik Birka <Izik.Birka () hot net il<mailto:Izik.Birka () hot net il>> Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] sfPortscan - false positive I believe they refer to the data generated by the preprocessor. Review the distribution of the data points mentioned. I am not on a computer to verify. YM Sent from Mobile On Sun, Feb 21, 2016 at 3:20 AM -0800, "Izik Birka" <Izik.Birka () hot net il<mailto:Izik.Birka () hot net il>> wrote: Hi I'm trying to tune PortScan false Positive I found this explanation in snort site Make use of the Priority Count, Connection Count, IP Count, Port Count, IP range, and Port range to determine false positives. But I didn't understand where I can change those values , Who knows ? Thanks Izik Birka This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you. This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you. This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you.
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sfPortscan - false positive Izik Birka (Feb 21)
- <Possible follow-ups>
- sfPortscan - false positive Izik Birka (Feb 21)
- Re: sfPortscan - false positive Y M (Feb 21)
- Re: sfPortscan - false positive Izik Birka (Feb 21)
- Re: sfPortscan - false positive Y M (Feb 21)
- Re: sfPortscan - false positive Izik Birka (Feb 21)
- Re: sfPortscan - false positive Y M (Feb 21)
- Re: sfPortscan - false positive Izik Birka (Feb 21)
- Re: sfPortscan - false positive Y M (Feb 21)
- Re: sfPortscan - false positive Izik Birka (Feb 21)
- Re: sfPortscan - false positive Y M (Feb 21)
- Re: sfPortscan - false positive Izik Birka (Feb 21)
- Re: sfPortscan - false positive Y M (Feb 21)
- Re: sfPortscan - false positive Izik Birka (Feb 22)
- Re: sfPortscan - false positive Y M (Feb 21)