Re: Portscan preprocessor and false positives

[Bennett Todd <bet () rahul net>]

2002-10-16-09:39:09 Ben Keepper:
> I must be missing it, because I thought I mentioned in my original post
> that I didn't want to use portscan-ignore hosts.

Ok, I can see that; presumably this would be because you still want
to see non-port-80 portscans for these hosts.

> Since it is a preprocessor, a pass rule won't work either, right?

Right.

> Now, I haven't played with the BPF filters.  Based on the example on
> your web page, it kind of looks like it might work, except that it is a
> preprocessor generating the alerts, so I am not sure.

BPF will indeed work here; while pass rules don't get handled before
preprocessors, BPF does: it's logically down below the network read
process, it's front-end filtering. The stream of packets fed up to
snort, for consideration by preprocessors and pass/alert/log rules
in whatever order, is first filtered by your BPF expression if any.

> Since apparently I didn't get my point across earlier, what I am trying
> to do is get the portscan preprocessor to ignore port 80, even better if
> I can only ignore port 80 if the source is HOME_NET.

Let us suppose your HOME_NET is 192.168.0.0/24; then the BPF should
I believe be something like

        src net 192.168.0.0/24 and ip proto tcp and dst port 80

The second and third clauses could be collapsed to "dst port http",
except that at least my /etc/services has both 80/tcp and 80/udp for
http, so you need the ip proto restriction anyway.

If you had HOME_NET more like [10.1.1.0/24,192.168.1.0/24], then
the BPF rendition would look more like

  '(src net 10.1.1.0/24 or 192.168.1.0/24) and ip proto tcp and dst port 80'

-Bennett

Attachment: _bin
Description: