RE: Portscan madness -- how to tweak

[chi-leung.wong () nokia com]

Hello Marty,

        Thanks for the response. They are primarily UDP but there are a
good chunk of tcp packets. Not DNS I've already included our server
subnets into the portscan-ignore list. It's seems to be a lot of UDP
netbios traffic. Since this point is our WAN connection point it's
useless to me to list more addresses to the portscan-ignore list as I'm
trying to find out users scanning into our network and also our users
scanning to other networks. But I'm getting a lot of messages from
"spp_portscan". I'm using 1.8.3 with current rules. But I don't think
it's the rules that's giving me the problems but the portscan
preprocessor sending "spp_portscan detect..." messages. And looking at
the alerts I'm not really getting scanned it's a lot of different ip
addresses, just normal traffic. I'm trying to find how to find the
balance of getting alerts of real portscans but at the same time
minimizing false positives. Since it's written into the preprocessor I
don't know how to deal with it. Thanks.

Cheers,
-Alan

roesch () sourcefire com wrote:

> Are they UDP portscans or TCP portscans?  Are they coming from your DNS
> server or elsewhere?  What version of Snort are you using?  Are the
> scans from a few IP addresses all the time or from a bunch of different
> sources?

>     -Marty

> chi-leung.wong () nokia com wrote:
>
> Hello everyone,
>
>         Sorry to be a bother, but I've been trying to get this
portscan
> tweaked but it's killing me. Currently my alerts consists of 90%
> portscans and I can't seem to tweak it through rules or even the
> portscan-ignorehosts (might as well turn portscan off if using too
much
> addresses). I have my IDS sitting at a traffic point on our router. My
> EXTERNAL_NET and HOME_NET is set to any since I'm detecting internal
> intrusions and not external. I'm just getting bombarded. All I can
think
> of now is turn off portscan if everything fails. Anyone has any
> suggestions? Portscan options now is 7 3. Any help would be very much
> appreciated. Thank you.
>
> Cheers,
> -Alan
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users