Snort mailing list archives
preprocessor portscan2-ignorehosts + "WEBTRAFFIC"
From: "mike Hughes" <mikehughes013 () hotmail com>
Date: Fri, 14 Mar 2003 13:03:00 -0800
Hello,I am trying to cut back on my flase alrams i receive. I get a lot of "web traffic" like this in my ACID CONSOLE alerts, after i visit sites like www.MSN.com, etc. I want to try to stop all these alerts soo (192.173.60.183 -BEING my IPADDRESS- eth0_ADDRESS)
#########################################################################0-(2-1295) [snort] (spp_portscan2) Portscan detected from 192.173.60.183: 6 targets 6 ports in 1186 seconds 2003-03-14 13:08:16 192.173.60.183:53 208.38.45.164:53 UDP #1-(2-1294) [snort] (spp_portscan2) Portscan detected from 208.38.45.177: 1 targets 21 ports in 16 seconds 2003-03-14 12:46:09 208.38.45.177:80 192.173.60.183:3172 TCP #2-(2-1293) [snort] (spp_portscan2) Portscan detected from 192.173.60.183: 6 targets 6 ports in 13 seconds 2003-03-14 12:45:53 192.173.60.183:53 12.47.217.11:53 UDP #3-(2-1292) [snort] (spp_portscan2) Portscan detected from 64.4.8.24: 1 targets 21 ports in 3 seconds 2003-03-14 12:44:33 64.4.8.24:80 192.173.60.183:3121 TCP
########################################################################So i have "preprocessor portscan2" enables and i added a few things to "preprocessor portscan2-ignorehosts" but they both come back with ERRORS when i start "SNORTD" here is this 2 things that i tryed to add:
preprocessor portscan2-ignorehosts: $DNS_SERVERS, $eth0_ADDRESSpreprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60
AND: preprocessor portscan2-ignorehosts: [$DNS_SERVERS, $eth0_ADDRESS]Any idea on how to wirte this line properly and or another way to stop all these ALERTS i get. Thanks
Mike _________________________________________________________________The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
-------------------------------------------------------This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor portscan2-ignorehosts + "WEBTRAFFIC" mike Hughes (Mar 14)
- RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC" Ray Ellington (Mar 14)
- <Possible follow-ups>
- RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC" mike Hughes (Mar 14)
- RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC" Erek Adams (Mar 15)
- RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC" mike Hughes (Mar 14)