Re: portscan reported from virtual interfaces

[Dragos Ruiu <dr () kyx net>]

On Fri, 20 Jul 2001, Jeffrey Meltzer wrote:
> Hi,
>
> I'm having a problem where snort is reporting portscans from virtual
> interfaces on the box where portscan is running (ie, it's reporting that
> le0:1 is scanning le0).
>
> Anybody know how I can tell it to not look for this? It's filling up the
> logfiles fairly quickly.

Uhm.... the flippant answer is to say "Don't run snort on those interfaces..."

But I suspect you are running RedHat's err... funky pcap that funnels all the
interfaces into one process.... 

How about.... disable portscan dection on that main all i/f snort and run a
separate snort with only portscan detection enabled on the interfaces you do
care to receive protscan info about... or separate it out to run separate
discrete configs for each interface explicitly using the interface command line
switch...

As a first cut at it those are some suggestions... hope this helps or
<eliza> maybe you can explain your problem further...</eliza>.

cheers,
--dr

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users