Snort mailing list archives
Re: Portscan preprocessor and false positives
From: Ben Keepper <lists () paladinss com>
Date: 16 Oct 2002 06:39:09 -0700
I must be missing it, because I thought I mentioned in my original post that I didn't want to use portscan-ignore hosts. Since it is a preprocessor, a pass rule won't work either, right? Now, I haven't played with the BPF filters. Based on the example on your web page, it kind of looks like it might work, except that it is a preprocessor generating the alerts, so I am not sure. Since apparently I didn't get my point across earlier, what I am trying to do is get the portscan preprocessor to ignore port 80, even better if I can only ignore port 80 if the source is HOME_NET. Any body know of way to do that? (The client would like to watch their internal networks of portscans). My original (bad) post is pasted to the end of this one. On Tue, 2002-10-15 at 21:54, Erek Adams wrote: On 15 Oct 2002, Ben Keepper wrote:
I didn't see this covered in the FAQ.
Well... Might want to read closer next time. ;-) http://www.snort.org/docs/faq.html#3.7 http://www.theadamsfamily.net/~erek/snort/ignore.txt To be more specific: Depending on what and how you want to ignore things, you might have to use multiple ways. You might need to use BPF or you might just want a pass rule. Since it's the portscan(2) preprocssor you should be able add in the portscan(2)-ignorehosts line and all should be well. Check the archives at http://marc.theaimsgroup.com/?l=snort-users&r=1&w=2 and http://marc.theaimsgroup.com/?l=snort-devel&r=1&w=2 for a recent discussion on that. I could be wrong, but I think that portscan2-ignorehosts isn't quite working at 100%. Again, that's IMHO so it isn't gospel. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net *** Paladin Security Systems scanned this email for malicious content *** *** IMPORTANT: Do not open attachments from unrecognized senders *** I didn't see this covered in the FAQ. We are receiving a lot of spp:portscan alerts when internal users go to sites like msn.com (go figure). All the separate banner ads are showing up as separate IP and the portscan preprocessor fires. I have tried increasing the threshholds to no avail. I could add HOME_NET to the ignore hosts variable, but would prefer to just have the preprocessor for sensor ignore what it thinks are port scans on port 80. So can I get the portscan preprocessor to ignore to ignore port 80? Thanks to everybody for your help. ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan preprocessor and false positives Ben Keepper (Oct 15)
- Re: Portscan preprocessor and false positives Alberto Gonzalez (Oct 15)
- Re: Portscan preprocessor and false positives Erek Adams (Oct 15)
- snort 1.9 doesn't raise alert for httptunneling telnet... s.wun (Oct 16)
- Re: snort 1.9 doesn't raise alert for httptunneling telnet... Erek Adams (Oct 16)
- Re: Portscan preprocessor and false positives Ben Keepper (Oct 16)
- Re: Portscan preprocessor and false positives Bennett Todd (Oct 16)
- Re: Portscan preprocessor and false positives Bennett Todd (Oct 17)
- snort 1.9 doesn't raise alert for httptunneling telnet... s.wun (Oct 16)