Snort mailing list archives
RE: Snort & portscans in a proxied environment
From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Wed, 20 Nov 2002 18:03:19 -0500
Indeed, this is exactly what I did. I have 2 snort processes that get kicked off by my "service snortd start" (yeah, redhat linux). One runs all my rules, preprocessors, & outputs MINUS portscan2 in snort.conf. The other I ran a: "snort -yzboDNk noip -i $INTERFACE -c /etc/snort/snort-portscan.conf -A None ! host $PROXY" snort-portscan.conf has no sig's in it, runs the portscan2 preprocessors (plus a few of the reassembly ones just in case). As an aside: I don't even have an output specified here, and I do no alerting either, as you'll notice. I did this because I was tired of ACID getting clogged with those &%*#in annoying spp_portscan2 alerts. Now I'll get alerted on the SYN/FIN's, FIN scans, typical alerts of that nature... but the standard portscans JUST get logged to portscan.log. I don't need to be alerted every 10 minutes when some punk portscans me. This is data I NEED to have when investigating something in-depth or looking at trends, but I don't WANT when I'm just looking for immediate problems. Hell, I even scan this file when I run snortsnarf... I just wanted those out of my alert database. "log_but_dont_alert" and "ignore_destination <IP>" would be nice additions down the road to portscan2 [wink, wink] HTH, Mike
-----Original Message----- From: Hicks, John [mailto:JHicks () JUSTICE GC CA] Sent: Wednesday, November 20, 2002 3:57 PM To: 'Jacob Redding'; Michael.Cloppert () 53 com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort & portscans in a proxied environment Off the top of my head, ignore the Proxy Server from the sensor, and create a new sensor just to watch the Proxy, and turn Portscan detection off on it only. hth, John Hicks -----Original Message----- From: Jacob Redding [mailto:Jacob () wiredgeek com] Sent: Wednesday, November 20, 2002 3:27 PM To: Michael.Cloppert () 53 com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort & portscans in a proxied environment I have the same situation.. My solution.. disable portscan2 ;) If someone has a better solution, I'm all ears too.. -jacobI'm looking for ideas on how to keep snort's portscan2 preprocessor from triggering on responses to my proxy server. Over half of the portscans I get are things like: src: some.web.server.outthere dst: my.pos.proxy.serversport: 80 dport:some_ephemeral_port It's obvious to me that these requests are responses to requests my proxy made on behalf of its clients. Adding my.po.proxy.server to portscan2-ignorehosts obviously doesn't do much good, since it's not the source, after all. The only thing I can think of is adaily purgeof this sort of data from my portscan.log file. I can't be the only one in the world seeing this... anyone have any solutions that can help me out? Anything would be appreciated. Cheers, Mike ------------------------------------------------------- This sf.net email is sponsored by: Battle your brains against the best in the Thawte Crypto Challenge. Be the first to crack the code - register now: http://www.gothawte.com/rd521.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by: Battle your brains against the best in the Thawte Crypto Challenge. Be the first to crack the code - register now: http://www.gothawte.com/rd521.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: Battle your brains against the best in the Thawte Crypto Challenge. Be the first to crack the code - register now: http://www.gothawte.com/rd521.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort & portscans in a proxied environment Cloppert, Michael (Nov 20)
- Re: Snort & portscans in a proxied environment Jacob Redding (Nov 20)
- problems with make file and mysql Christopher Cook (Nov 20)
- <Possible follow-ups>
- RE: Snort & portscans in a proxied environment Hicks, John (Nov 20)
- RE: Snort & portscans in a proxied environment Cloppert, Michael (Nov 20)