Snort mailing list archives
RE: Portscan from self?
From: "Miller, Eoin" <Miller () fhlb-of com>
Date: Tue, 8 Oct 2002 11:30:33 -0400
im assuming your WAN interface does ip masquerading/hidden NAT. basically if you have 10 people sharing that one public address and they are all surfing the web, youre WAN interface is going to send out 10 different requests, all from that WAN interfaces IP, all from different ports, and the destination will be port 80. this triggers snorts portscan rule because one IP has contacted several different IP's in a very short amount of time, tweak the snort rules to stop this. in your snort.conf file you will see this var IGNORE_PORTSCAN [w.x.y.z,w.x.y.z] just put in the IP's you want to be ignored in there and restart snort and you will be golden, put your DNS server IP's in there too, along with your wan interface to cut down the these chatty alerts.
-----Original Message----- From: Marc Thomas [mailto:marc () mainetech net] Sent: Tuesday, October 08, 2002 11:13 AM To: Snort-users Subject: [Snort-users] Portscan from self? Hello, I keep getting the following: spp_portscan: PORTSCAN DETECTED from w.x.y.z (THRESHOLD 4 connections exceeded in 2 seconds) Oct 8 10:06:15 noc snort: spp_portscan: portscan status from w.x.y.z: 6 connections across 6 hosts: TCP(6), UDP(0) Oct 8 10:06:30 noc snort: spp_portscan: portscan status from w.x.y.z: 1 connections across 1 hosts: TCP(1), UDP(0) Oct 8 10:06:38 noc snort: spp_portscan: portscan status from w.x.y.z: 2 connections across 2 hosts: TCP(2), UDP(0) w.x.y.z being my WAN interface. Whats causing this? Anything I can do to stop it? btw, using snort version 1.9.0 on Debian woody Thanks, Marc ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan from self? Marc Thomas (Oct 08)
- <Possible follow-ups>
- RE: Portscan from self? Miller, Eoin (Oct 08)
- portscan-ignorehosts for portscan2? (was Re: Portscan from self?) Bennett Todd (Oct 08)
- Re: portscan-ignorehosts for portscan2? (was Re: Portscan from self?) Erek Adams (Oct 08)
- portscan-ignorehosts for portscan2? (was Re: Portscan from self?) Bennett Todd (Oct 08)