spp_portscan logging, though not enabled in config

[robe () alfa21 com (Roberto Suarez Soto)]

        I've got a nasty problem with spp_portscan. Maybe it's a
misconfiguration, but anyway it's a problem.

        The thing is: I'm getting a lot of false alarms of portscans ...
though I disabled portscan detection in snort.conf. I mean: I commented out
every portscan (spp_portscan and spp_stream4) plugin. And anyway, I'm still
getting a whole big amount of portscan detections. And the portscan alerts are
from the IPs of the machine itself. The machine has 9 IPs assigned to the same
interface, BTW; maybe that is a problem? :-?

        Anyway: why does spp_portscan log things, when I've got it disabled?
Is there some "default" spp_portscan configuration that I'm not aware of?

        Before commenting it out, I tried all the "FAQ-ish" things: creating a
$DNS_SERVERS variable (format with 24 and/or 32 bitmask) and adding it to
portscan-ignorehosts, in particular. No success. So, I'm quite puzzled.

        Thanks in advance.

-- 
Roberto Suarez Soto                                     Alfa21 Outsourcing
    robe () alfa21 com                               http://www.alfa21.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users