Snort mailing list archives
snort 1.9 settings of spp_portscan2
From: Patrice.Arnal () alcatel fr
Date: Fri, 29 Nov 2002 10:07:31 +0100
Hello I use snort 1.9 to monitor the trafic to and from a web server, and under normal operating condutuions I get a lot of "portscan alerts" : [**] [117:1:1] (spp_portscan2) Portscan detected from xxx.xxx.xxx.34: 2 targets 21 ports in 12 seconds [**] 11/28-17:43:44.929945 xxx.xxx.xxx.34:443 -> yyy.yyy.yyy.yyy:1714 TCP TTL:127 TOS:0x0 ID:59272 IpLen:20 DgmLen:44 DF ***A**S* Seq: 0xC83745B3 Ack: 0xF49FBA26 Win: 0x2238 TcpLen: 24 TCP Options (1) => MSS: 1460 where xxx.xxx.xxx.34 is the adress of my web server. According to this , I undestand that a lot of answers of my web server to its clients is interpreted as a portscan against these clients. I can tell to spp_portscan to ignore scans FROM my HOME_NET preprocessor portscan-ignorehosts: $HOME_NET BUT i did not found the equivalent option for portscan2 . # Portscan 2, detect portscans in a new and exciting way. # # Available options: # scanners_max [num] # targets_max [num] # target_limit [num] # port_limit [num] # timeout [num] # log [logdir] preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60 Thanks for the help Patrice ARNAL ALCANET France Site d'ILLKIRCH 1 Route du Dr Albert SCHWEITZER 67408 ILLKIRCH CEDEX ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.9 settings of spp_portscan2 Patrice . Arnal (Nov 29)
- Re: snort 1.9 settings of spp_portscan2 Jens Krabbenhoeft (Nov 29)