Snort mailing list archives

Re: how to disable spp_porscan?

From: robe () alfa21 com (Roberto Suarez Soto)
Date: Tue, 18 Dec 2001 20:10:36 +0100

On Dec/18, Steve Halligan wrote:

If you commented spp_portscan in snort.conf, the alerts you are seeing are
NOT coming from it.  More likely they are coming from snort itself, and you


        Well, I wouldn't say so:

Dec 18 19:55:51 seel snort[28989]: spp_portscan: PORTSCAN DETECTED from
XX.XX.XX.XX (THRESHOLD 4 connections exceeded in 3 seconds)

Dec 18 19:55:52 seel snort[28989]: spp_portscan: portscan status from
YY.YY.YY.YY: 4 connections across 4 hosts: TCP(4), UDP(0)

Dec 18 19:55:55 seel snort[28989]: spp_portscan: portscan status from
XX.XX.XX.XX: 7 connections across 7 hosts: TCP(0), UDP(7)

Dec 18 19:55:56 seel snort[28989]: spp_portscan: portscan status from
YY.YY.YY.YY: 3 connections across 3 hosts: TCP(3), UDP(0)

        The "spp_portscan" string should mean that it's spp_portscan who's
logging, isn't it? And besides, I have set up rules in /etc/snort/local-first
that ignore everything from this host's addresses (and included this file in
snort configuration, of course). So, I don't know exactly what it is, but I'm
pretty sure that it's some spp_portscan related thing :-)

        And this is with *all* portscan-related config commented. Or at least
I think so:

host:~# grep portscan /etc/snort/snort.conf
# if you want to ignore portscan false alarms from them...
# detect various portscan types, fingerprinting, ECN, etc.
#   detect_scans - stream4 will detect stealth portscans and generate alerts
# portscan: detect a variety of portscans
# portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net>
#preprocessor portscan: $HOME_NET 4 3 portscan.log
# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
#preprocessor portscan-ignorehosts: $DNS_SERVERS

        (I've "hidden" all IP addresses because I don't know if my bosses
would like to show them all over the Internet O:-))

-- 
Roberto Suarez Soto                                     Alfa21 Outsourcing
    robe () alfa21 com                               http://www.alfa21.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: how to disable spp_porscan?, (continued)
- - - Re: how to disable spp_porscan? Phil Wood (Dec 18)
    - Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 19)
    - Re: how to disable spp_porscan? Phil Wood (Dec 19)
    - Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 20)
    - Re: how to disable spp_porscan? Phil Wood (Dec 20)
    - Re: how to disable spp_porscan? Phil Wood (Dec 20)
    - Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 21)
- Re: how to disable spp_porscan? Phil Wood (Dec 18)
  - Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 18)
- RE: how to disable spp_porscan? Steve Halligan (Dec 18)
  - Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 18)
    - Re: how to disable spp_porscan? Chris Green (Dec 18)
    - Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 19)
    - Re: how to disable spp_porscan? Phil Wood (Dec 19)
    - Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 20)
    - Re: how to disable spp_porscan? Brian (Dec 19)
    - Re: how to disable spp_porscan? Roberto Suarez Soto (Dec 19)