Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: scan.log file

From: Scott Fringer <fringsm () is2 hsnet ufl edu>
Date: Tue, 11 Feb 2003 07:38:53 -0500 (EST)
Jon,
  spp_portscan2 generates the traffic that ends up in scan.log.  So, yes,
it should be portscan traffic that gets there.  If you are seeing
legitimate traffic ending up there, try adding the following to your
snort.conf:

preprocessor portscan2-ignorehosts: [hosts-to-ignore]

<follows the same arguments as most variables, i.e. HOME_NET, etc.>

That should keep them from showing up (though I've heard mixed results on
the list, it does work for me here)

Scott

Scott Fringer                              Shands Healthcare @ U.F.
Technical Analyst II                       Gainesville, FL

On Mon, 10 Feb 2003, John S wrote:


Can anyone tell me what triggers an alert to the scan.log file?  Is it just
port scans? I am seeing alot of legitimate dns queries being logged in that
file.  What are people doing to reduce these false positives?

Thanks!




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: