snort 1.9 settings of spp_portscan2

[Patrice.Arnal () alcatel fr]

Hello
I use snort 1.9 to monitor the trafic to and from a web server, and under 
normal operating condutuions I get
a lot of "portscan alerts"  :

[**] [117:1:1] (spp_portscan2) Portscan detected from xxx.xxx.xxx.34: 2 
targets 21 ports in 12 seconds [**]
11/28-17:43:44.929945 xxx.xxx.xxx.34:443 -> yyy.yyy.yyy.yyy:1714
TCP TTL:127 TOS:0x0 ID:59272 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0xC83745B3  Ack: 0xF49FBA26  Win: 0x2238  TcpLen: 24
TCP Options (1) => MSS: 1460

where xxx.xxx.xxx.34 is the adress of my web server. 

According to this , I undestand that a lot of answers of my web server to 
its clients  is interpreted as a portscan against these clients.

I can tell to spp_portscan to ignore scans FROM my HOME_NET

preprocessor portscan-ignorehosts: $HOME_NET

BUT i did not found the equivalent option for portscan2 .

# Portscan 2, detect portscans in a new and exciting way.
#
# Available options:
#       scanners_max [num]
#       targets_max [num]
#       target_limit [num]
#       port_limit [num]
#       timeout [num]
#       log [logdir]

preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 
5, port_limit 20, timeout 60

Thanks for the help

Patrice ARNAL
ALCANET France
Site d'ILLKIRCH
1 Route du Dr Albert SCHWEITZER
67408 ILLKIRCH CEDEX


-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users