Snort mailing list archives

Portscanning from my network

From: Steve Ochani <p51fan () optonline net>
Date: Fri, 05 Apr 2002 21:21:48 -0500

Hello,

I'm running snort 1.8.3 (sun os 5.8 on ultra 10).

I need to detect portscans *from* my network to the outside, while also be able to detect 
portscans from outside directed to my network.

I edited the line in snort.conf
from

preprocessor portscan: $HOME_NET 4 3 portscan.log

to

preprocessor portscan: any 4 3 portscan.log

and I was able to detect outgoing portscans (with nmap for example), but the problem is even if 
someone browses the web it gets picked up as a portscan.
I tried changing from 4 ports in 3 secs to 4 ports to 1 and 2 but still same problem and I don't 
want to make that too loo since scans from outside might not be picked up.

Any suggestions?

Thanks






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscanning from my network Steve Ochani (Apr 05)
- what would be the effect? Onie Camara (Apr 05)
- <Possible follow-ups>
- RE: Portscanning from my network Sheahan, Paul (PCLN-NW) (Apr 08)
- RE: Portscanning from my network Ryan Hill (Apr 08)
- Portscanning from my network Steve Ochani (Apr 14)