Snort mailing list archives
RE: Portscan madness -- how to tweak
From: chi-leung.wong () nokia com
Date: Mon, 7 Jan 2002 09:37:04 +0200
Hello Marty, Thanks for the response. They are primarily UDP but there are a good chunk of tcp packets. Not DNS I've already included our server subnets into the portscan-ignore list. It's seems to be a lot of UDP netbios traffic. Since this point is our WAN connection point it's useless to me to list more addresses to the portscan-ignore list as I'm trying to find out users scanning into our network and also our users scanning to other networks. But I'm getting a lot of messages from "spp_portscan". I'm using 1.8.3 with current rules. But I don't think it's the rules that's giving me the problems but the portscan preprocessor sending "spp_portscan detect..." messages. And looking at the alerts I'm not really getting scanned it's a lot of different ip addresses, just normal traffic. I'm trying to find how to find the balance of getting alerts of real portscans but at the same time minimizing false positives. Since it's written into the preprocessor I don't know how to deal with it. Thanks. Cheers, -Alan roesch () sourcefire com wrote:
Are they UDP portscans or TCP portscans? Are they coming from your DNS server or elsewhere? What version of Snort are you using? Are the scans from a few IP addresses all the time or from a bunch of different sources?
-Marty
chi-leung.wong () nokia com wrote: Hello everyone, Sorry to be a bother, but I've been trying to get this
portscan
tweaked but it's killing me. Currently my alerts consists of 90% portscans and I can't seem to tweak it through rules or even the portscan-ignorehosts (might as well turn portscan off if using too
much
addresses). I have my IDS sitting at a traffic point on our router. My EXTERNAL_NET and HOME_NET is set to any since I'm detecting internal intrusions and not external. I'm just getting bombarded. All I can
think
of now is turn off portscan if everything fails. Anyone has any suggestions? Portscan options now is 7 3. Any help would be very much appreciated. Thank you. Cheers, -Alan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan madness -- how to tweak chi-leung . wong (Jan 06)
- Re: Portscan madness -- how to tweak Martin Roesch (Jan 06)
- <Possible follow-ups>
- RE: Portscan madness -- how to tweak chi-leung . wong (Jan 06)