Snort mailing list archives
spp_portscan logging, though not enabled in config
From: robe () alfa21 com (Roberto Suarez Soto)
Date: Fri, 14 Dec 2001 13:26:41 +0100
I've got a nasty problem with spp_portscan. Maybe it's a misconfiguration, but anyway it's a problem. The thing is: I'm getting a lot of false alarms of portscans ... though I disabled portscan detection in snort.conf. I mean: I commented out every portscan (spp_portscan and spp_stream4) plugin. And anyway, I'm still getting a whole big amount of portscan detections. And the portscan alerts are from the IPs of the machine itself. The machine has 9 IPs assigned to the same interface, BTW; maybe that is a problem? :-? Anyway: why does spp_portscan log things, when I've got it disabled? Is there some "default" spp_portscan configuration that I'm not aware of? Before commenting it out, I tried all the "FAQ-ish" things: creating a $DNS_SERVERS variable (format with 24 and/or 32 bitmask) and adding it to portscan-ignorehosts, in particular. No success. So, I'm quite puzzled. Thanks in advance. -- Roberto Suarez Soto Alfa21 Outsourcing robe () alfa21 com http://www.alfa21.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan logging, though not enabled in config Roberto Suarez Soto (Dec 14)
- Re: spp_portscan logging, though not enabled in config Roberto Suarez Soto (Dec 14)