Snort mailing list archives
RE: Portscan2 filtering suggestions - Snort 1.9.0 & acid
From: "Beckett, Josh" <JBeckett () enviance com>
Date: Wed, 9 Oct 2002 13:47:30 -0700
Just to clarify, I do have $HOME_NET and $IGNORE_PORTSCAN defined properly, and the alerts are sourced on port 80 of the web server and reply to the appropriate ephemeral ports on my home net. Basically a scan alert triggering only on the web server's reply to my user's outbound request, but not an alert on the original request nor the multiple ports opening with the destination of the server's port 80. I home that makes it more clear. J- -----Original Message----- From: Beckett, Josh Sent: Wednesday, October 09, 2002 1:38 PM To: 'Snort-users () lists sourceforge net' Subject: Portscan2 filtering suggestions - Snort 1.9.0 & acid I'm trying to tune out the false positives triggered by my users going to a website and the ensuing http conversation opening up many ports. I've upped the portscan2 preprocessor port_limit value from default to 20 and then to 25. Each time I increase the value, the alerts continue to trigger at the new, higher threshold. I understand what is going on at the tcp level but I am concerned that the more I increase the threshold, the greater my chances of missing a real scan. In the reported alerts, the target value is always 1, which makes sense, so I haven't messed with the portscan2 target value. The alerts are often under 5-10 seconds so adjusting the timeout would seem to have little positive effect without an equal negative effect of increasing the potential for missing true positives. Any suggestions, thoughts, criticisms on what other adjustments I could make (other than the obvious of keep crankin' up the port_limit and lower the timeout)? Josh Beckett CISSP Enviance.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan2 filtering suggestions - Snort 1.9.0 & acid Beckett, Josh (Oct 09)
- <Possible follow-ups>
- RE: Portscan2 filtering suggestions - Snort 1.9.0 & acid Beckett, Josh (Oct 09)