Snort mailing list archives
Re: Alert log entry
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 26 Dec 2002 21:49:46 -0500
look up the portscan preprocessor in your snort.confIn a lan setting the default thresholds for the portscan preprocessor are going to be way too low. Really this preprocessor was designed for use in watching traffic come in to your lan from the internet, and not to watch traffic from between different nodes in your lan.
I'd strongly recommend completely disabling the portscan preprocessor, and using the portscan2 preprocessor of snort 1.9.0 and higher instead (you'll have to tweak it's settings a bit as well, but it's defaults are a bit more sane and it's a bit more flexible.)
If you must use the regular old one, you're going to have to bump up your thresholds and set your portscan_ignorehosts properly.
At 10:13 AM 12/27/2002 +0800, you wrote:
Hi all i am snort new user.. need some help. from my log.. i am seeing many such entries.... is this normal in a LAN env of all win2000 Prof machines. Thank you 12/10-15:23:40.976000 [**] [100:1:1] <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: PORTSCAN DETECTED on \Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118} from 192.168.1.1 (THRESHOLD 10 connections exceeded in 3 seconds) [**] 12/10-15:23:44.554000 [**] [100:1:1] <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: PORTSCAN DETECTED on \Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118} from 192.168.1.2 (THRESHOLD 10 connections exceeded in 11 seconds) [**] 12/10-15:23:46.148000 [**] [100:2:1] <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: portscan status from 192.168.2.1: 6 connections across 6 hosts: TCP(0), UDP(6) [**] 12/10-15:23:46.148000 [**] [100:2:1] <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: portscan status from 192.168.2.2: 5 connections across 5 hosts: TCP(0), UDP(5) [**] 12/10-15:23:46.164000 [**] [100:2:1] <\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: portscan status from 192.168.2.3: 14 connections across 6 hosts: TCP(8), UDP(6) [**] ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert log entry bluetooth995 (Dec 26)
- Re: Alert log entry Matt Kettler (Dec 26)