Snort mailing list archives

Re: HP Jetdirect Printers and portscans

From: Joe McAlerney <joey () SiliconDefense com>
Date: Fri, 29 Jun 2001 10:12:03 -0700

Hello Paul,

You could add them to the portscan-ignorehosts list, or raise your
threshold a bit.  10 connections in 20 seconds seems a bit low.  It
seems web browsing to pages with 10 or more banner adds would set that
off as well.

-Joe M.

-- 
|   Joe McAlerney     joey () silicondefense com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Paul Asadoorian wrote:


I am logging all my HP JetDirect printers (we have many, like 100's) in
the portscan module:

Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3649 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3650 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3651 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3652 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3653 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3654 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3655 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3656 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3657 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3658 UDP
Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3659 UDP
Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3660 UDP
Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3661 UDP
Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3662 UDP
Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3663 UDP
Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3665 UDP
Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3666 UDP
Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3667 UDP
Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3668 UDP
Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3670 UDP
Jun 29 11:29:27 MY.NET.51.32:161 -> MY.NET.19.248:3720 UDP

My portscan settings are as follows:

   preprocessor portscan: $HOME_NET 10 20 portscan.log

Any help is greatly appreciated...

BTW:  MY.NET.51.32 is a Jet Direct Print Server and MY.NET.19.248 is a
Novell Server

--
Paul Asadoorian, GCIA

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

HP Jetdirect Printers and portscans Paul Asadoorian (Jun 29)
- Re: HP Jetdirect Printers and portscans Joe McAlerney (Jun 29)
- <Possible follow-ups>
- Re: HP Jetdirect Printers and portscans Fred Portnoy (Jun 29)
  - Re: Re: HP Jetdirect Printers and portscans Ryan Russell (Jun 29)
  - Re: Re: HP Jetdirect Printers and portscans Steve Shockley (Jun 29)
  - Re: Re: HP Jetdirect Printers and portscans Rich Adamson (Jun 29)
- RE: Re: HP Jetdirect Printers and portscans Jon Tollerton (Jun 29)