Snort mailing list archives
disabling portscan false alarms for a certain port (137)
From: Steve.Evans () irusa com
Date: Thu, 21 Mar 2002 11:15:26 -0700
Hi all. I'm getting the following : Mar 21 10:01:03 linux snort[4308]: spp_portscan: portscan status from 192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1) Mar 21 10:01:07 linux snort[4308]: spp_portscan: portscan status from 192.168.1.3: 3 connections across 3 hosts: TCP(0), UDP(3) Mar 21 10:01:11 linux snort[4308]: spp_portscan: portscan status from 192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2) Mar 21 10:01:15 linux snort[4308]: spp_portscan: portscan status from 192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2) Mar 21 10:01:20 linux snort[4308]: spp_portscan: portscan status from 192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1) Mar 21 10:01:24 linux snort[4308]: spp_portscan: portscan status from 192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1) Mar 21 10:01:28 linux snort[4308]: spp_portscan: portscan status from 192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2) Etc.. This node is not a DNS server.. and it's not the only node that I get notified about. The portscan.log looks like : Mar 21 12:01:11 192.168.1.3:137 -> 192.168.1.130:137 UDP Mar 21 12:01:13 192.168.1.3:137 -> 192.168.1.21:137 UDP Mar 21 12:01:16 192.168.1.3:137 -> 192.168.1.21:137 UDP Mar 21 12:01:18 192.168.1.3:137 -> 192.168.1.130:137 UDP Mar 21 12:01:21 192.168.1.3:137 -> 192.168.1.130:137 UDP Mar 21 12:01:24 192.168.1.3:137 -> 192.168.1.21:137 UDP Mar 21 12:01:26 192.168.1.3:137 -> 192.168.1.21:137 UDP Mar 21 12:01:29 192.168.1.3:137 -> 192.168.1.130:137 UDP Mar 21 12:01:31 192.168.1.3:137 -> 192.168.1.130:137 UDP Mar 21 12:01:34 192.168.1.3:137 -> 192.168.1.21:137 UDP Mar 21 12:01:35 192.168.1.3:137 -> 192.168.1.21:137 UDP Mar 21 12:01:38 192.168.1.3:137 -> 192.168.1.130:137 UDP Etc.. Rather than ignoring all portscans from/to this host, I'd like to just be able to ignore portscans on UDP port 137 (netbios?) Is there a way to do this with snort (Version 1.8.1-RELEASE (Build 74))? Thanks! Steve.. PS, please reply directly, I'm not on the mailing list.. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- disabling portscan false alarms for a certain port (137) Steve . Evans (Mar 21)