Snort mailing list archives
Re: unknown destination ip and portscan false alerts
From: Alberto Gonzalez <electron () wwjh net>
Date: Sat, 8 Mar 2003 02:57:26 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [...snip...]
Signature: portscan
alert: spp_portscan detected from 192.168.0.11
(THRESHOLD
4 connections exceeded in 0 seconds)
source ip: 192.168.0.11
destination ip: unknown
proto: IP
use portscan-ignorehosts, syntax is 'preprocessor portscan-ignorehosts: x.x.x.x'
2) i'm getting a lot of portscan alerts to and from port 80,25 and 53. How do I disable alerts to and from these ports?
neither spp_portscan or portscan2 can take ports as arguments. bpf filters might be of use with different snort instances, though the bpf filters wouldn't just apply to portscans, it would apply to everything. I use the rules that come with snort to detect portscans, and I disable both preprocessors.
How do I disable portscans from internal network to internet, but keeping portscans from internal network to internal network intact.
You might want to run two instances of snort, one on your internet connected interface, the other on your internal interface. Each with a different configuration file. This would give you more control to what you want to see on each side. HTH! Cheers! Alberto Gonzalez - -- "Success comes to the person who does today, what you are thinking of doing tomorrow." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+aaJqORajRLkA7bARAm4gAJ99Mf6/ZOlzD6ooAO5AfS1NotpT3gCgn55L NXWmfnInVH3JKugQEcAADi4= =Sued -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- unknown destination ip and portscan false alerts Always Bishan (Mar 07)
- Re: unknown destination ip and portscan false alerts Alberto Gonzalez (Mar 08)
- Re: unknown destination ip and portscan false alerts Always Bishan (Mar 08)
- Re: unknown destination ip and portscan false alerts Alberto Gonzalez (Mar 08)