Snort mailing list archives
Re: Portscan preprocessor and false positives
From: Bennett Todd <bet () rahul net>
Date: Wed, 16 Oct 2002 11:44:39 -0400
2002-10-16-09:39:09 Ben Keepper:
I must be missing it, because I thought I mentioned in my original post that I didn't want to use portscan-ignore hosts.
Ok, I can see that; presumably this would be because you still want to see non-port-80 portscans for these hosts.
Since it is a preprocessor, a pass rule won't work either, right?
Right.
Now, I haven't played with the BPF filters. Based on the example on your web page, it kind of looks like it might work, except that it is a preprocessor generating the alerts, so I am not sure.
BPF will indeed work here; while pass rules don't get handled before preprocessors, BPF does: it's logically down below the network read process, it's front-end filtering. The stream of packets fed up to snort, for consideration by preprocessors and pass/alert/log rules in whatever order, is first filtered by your BPF expression if any.
Since apparently I didn't get my point across earlier, what I am trying to do is get the portscan preprocessor to ignore port 80, even better if I can only ignore port 80 if the source is HOME_NET.
Let us suppose your HOME_NET is 192.168.0.0/24; then the BPF should I believe be something like src net 192.168.0.0/24 and ip proto tcp and dst port 80 The second and third clauses could be collapsed to "dst port http", except that at least my /etc/services has both 80/tcp and 80/udp for http, so you need the ip proto restriction anyway. If you had HOME_NET more like [10.1.1.0/24,192.168.1.0/24], then the BPF rendition would look more like '(src net 10.1.1.0/24 or 192.168.1.0/24) and ip proto tcp and dst port 80' -Bennett
Attachment:
_bin
Description:
Current thread:
- Portscan preprocessor and false positives Ben Keepper (Oct 15)
- Re: Portscan preprocessor and false positives Alberto Gonzalez (Oct 15)
- Re: Portscan preprocessor and false positives Erek Adams (Oct 15)
- snort 1.9 doesn't raise alert for httptunneling telnet... s.wun (Oct 16)
- Re: snort 1.9 doesn't raise alert for httptunneling telnet... Erek Adams (Oct 16)
- Re: Portscan preprocessor and false positives Ben Keepper (Oct 16)
- Re: Portscan preprocessor and false positives Bennett Todd (Oct 16)
- Re: Portscan preprocessor and false positives Bennett Todd (Oct 17)
- snort 1.9 doesn't raise alert for httptunneling telnet... s.wun (Oct 16)