Snort mailing list archives
Re: Portscan2...
From: Tobias Rice <rice () up edu>
Date: Sat, 22 Mar 2003 11:40:30 -0800 (PST)
Erek- Thanks for the tips, I'll try the ignore options and see if it works for me. But I.m a little confused about the BPF filters, the man page is a little vague. Currently, I.m running snort like so: /usr/sbin/snort-mysql+flexresp -o -i eth0 -c /etc/snort/snort.conf So would it now be: (after creating the file scan.bpf) /usr/sbin/snort-mysql+flexresp -o -i eth0 -c /etc/snort/snort.conf .F bpf_file: /etc/snort/scan.bpf And the file scan.bpf would contain this: not host 111.222.333.444 and not port (53 or 5060) Thanks again! On Sat, 22 Mar 2003, Erek Adams wrote:
On Sat, 22 Mar 2003, Tobias Rice wrote:Thanks you all for your responses! FYI, I am not scanning my server locally, I'm using a workstation. I'll try a BPF fileter and update you later.Just to mention it: There's also preprocessor portscan2-ignoreports-to: preprocessor portscan2-ignoreports-from: That may work as well as a BPF filter. One thing that should be kept in mind, with either BPF filters or with using ignore* options: You can "blind" youself very easily. You want to be sure that you don't ignore _all_ traffic on port 53, or all traffic from host <foo> unless you _really_, _really_ mean it. It wouldn't do to have a DNS server hacked because you ignore port 53. :) Also keep in mind that dropping thigs with a BPF filter causes Snort never to see it. It's dropped at the libpcap level, so it never even makes it into Snort's processing engine. That may be a slight performance gain in some cases. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Erek Adams (Mar 22)
- Re: Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Erek Adams (Mar 22)
- Re: Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Erek Adams (Mar 22)
- Re: Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Alberto Gonzalez (Mar 22)
- Re: Portscan2... Alberto Gonzalez (Mar 22)
- Re: Portscan2... Tobias Rice (Mar 22)
- Re: Portscan2... Erek Adams (Mar 22)
- Re: Portscan2... Jim Burwell (Mar 22)
- Re: Portscan2... Erek Adams (Mar 23)
- Re: Portscan2... Jim Burwell (Mar 23)