Snort mailing list archives

RE: spp_portscan

From: Hytham Abu-Safieh <habusafieh () rim net>
Date: Tue, 18 Dec 2001 11:56:23 -0500

in snort.conf uncomment the following line:
 
#preprocessor portscan-ignorehosts: $DNS_SERVERS
 
That should take care of your problem.
 
-H
-----Original Message-----
From: David Gitman [mailto:david () gitman net]
Sent: December 18, 2001 6:34 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] spp_portscan


My DNS server (only my secondary) keeps showing up as a port scan.  I set 
 
var DNS_SERVERS [166.84.143.28/32,198.7.0.2/32]
 
but still am seeing 
 
12/18-06:30:22.075845  [**] [100:2:1] spp_portscan: portscan status from
198.7.0.2: 1 connections across 1 hosts: TCP(0), UDP(1) [**]
 
any suggestions?
 
Thanks,
 
David Gitman
david () gitman net <mailto:david () gitman net> 
www.gitman.net <http://www.gitman.net>

Current thread:

spp_portscan David Gitman (Dec 18)
- Re: spp_portscan Phil Wood (Dec 18)
- <Possible follow-ups>
- RE: spp_portscan Hytham Abu-Safieh (Dec 18)