Snort mailing list archives

Previous By Date Next
Previous By Thread Next

disabling portscan false alarms for a certain port (137)

From: Steve.Evans () irusa com
Date: Thu, 21 Mar 2002 11:15:26 -0700
Hi all.

I'm getting the following :

Mar 21 10:01:03 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:07 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 3 connections across 3 hosts: TCP(0), UDP(3)
Mar 21 10:01:11 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)
Mar 21 10:01:15 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)
Mar 21 10:01:20 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:24 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:28 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)

Etc..

This node is not a DNS server.. and it's not the only node that I get
notified about.

The portscan.log looks like :

Mar 21 12:01:11 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:13 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:16 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:18 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:21 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:24 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:26 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:29 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:31 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:34 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:35 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:38 192.168.1.3:137 -> 192.168.1.130:137 UDP  

Etc..

Rather than ignoring all portscans from/to this host, I'd like to just be
able to ignore portscans on UDP port 137 (netbios?)

Is there a way to do this with snort (Version 1.8.1-RELEASE (Build 74))?

Thanks!

Steve..

PS, please reply directly, I'm not on the mailing list..

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: