Re: Alert log entry

[Matt Kettler <mkettler () evi-inc com>]

look up the portscan preprocessor in your snort.conf

In a lan setting the default thresholds for the portscan preprocessor are 
going to be way too low. Really this preprocessor was designed for use in 
watching traffic come in to your lan from the internet, and not to watch 
traffic from between different nodes in your lan.

I'd strongly recommend completely disabling the portscan preprocessor, and 
using the portscan2 preprocessor of snort 1.9.0 and higher instead (you'll 
have to tweak it's settings a bit as well, but it's defaults are a bit more 
sane and it's a bit more flexible.)

If you must use the regular old one, you're going to have to bump up your 
thresholds and set your portscan_ignorehosts properly.


At 10:13 AM 12/27/2002 +0800, you wrote:
> Hi all
>
> i am snort new user.. need some help.
>
> from my log.. i am seeing many such entries.... is this normal in a LAN env
> of all win2000 Prof machines. Thank you
> 12/10-15:23:40.976000 [**] [100:1:1]
> <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: PORTSCAN
> DETECTED on \Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118} from
> 192.168.1.1 (THRESHOLD 10 connections exceeded in 3 seconds) [**]
>
> 12/10-15:23:44.554000 [**] [100:1:1]
> <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: PORTSCAN
> DETECTED on \Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118} from
> 192.168.1.2 (THRESHOLD 10 connections exceeded in 11 seconds) [**]
>
> 12/10-15:23:46.148000 [**] [100:2:1]
> <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: portscan
> status from 192.168.2.1: 6 connections across 6 hosts: TCP(0), UDP(6) [**]
>
> 12/10-15:23:46.148000 [**] [100:2:1]
> <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: portscan
> status from 192.168.2.2: 5 connections across 5 hosts: TCP(0), UDP(5) [**]
>
> 12/10-15:23:46.164000 [**] [100:2:1]
> <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: portscan
> status from 192.168.2.3: 14 connections across 6 hosts: TCP(8), UDP(6) [**]
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users