Snort mailing list archives
Re: portscan
From: Byron York <byron () benefitrecovery com>
Date: Wed, 10 Oct 2001 09:19:43 -0500
It could be DNS queries, but I don't know. In the conf file there is a preprocessor portscan-ignorehosts. Put your internal IP address here and you will not generate the false alarms from normal internal traffic. Also you can bump up the threshold on the portscan preprocessor from 4 connections over 3 seconds to something higher. alexus wrote:
my snort detects way too much of so called "portscan" even from my very own ip Oct 10 00:51:07 box snort[605]: spp_portscan: portscan status from 66.92.98.145: 6 connections across 6 hosts: TCP(0), UDP(6) Oct 10 00:51:07 box /kernel: Oct 10 00:51:07 box snort[605]: spp_portscan: portscan status from 66.92.98.145: 6 connections across 6 hosts: TCP(0), UDP(6) Oct 10 00:52:01 box snort[605]: spp_portscan: portscan status from 66.92.98.145: 2 connections across 2 hosts: TCP(0), UDP(2) i assume that this is missconfiguration of some kind.. i do not portscan myself.. any ideas? thank you in advance
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan alexus (Oct 09)
- Re: portscan Byron York (Oct 10)
- Re: portscan Rich Adamson (Oct 10)
- Re: portscan Byron York (Oct 10)