Snort mailing list archives

spp_portscan2 proxy alerts

From: <gr8dane2 () bellsouth net>
Date: Mon, 13 Jan 2003 15:41:43 -0500

If this message gets posted twice, I'm sorry, I accidently sent it from a different address and it got held. (Ok, I'll
drink!)

Hello, I'm trying to eliminate some false alerts and I know this one has been discussed, but I seem to be finding
conflicting information and would like to know what your thoughts are. First, my setup:

Sensor:
Snort 1.9.0 -Win32 binary dled from Snort.org running on a Windows XP system. It sits between a Novell BorderManager
firewall and my Lan. It is logging the information to a MySql server. I also have another sensor outside the
firewall, but I'm not concerned with that for this problem.

Server:
Windows XP runing MySql 3.23.54 and ACID 0.9.6 b23 on IIS 5.1.

The BorderManager server is setup as a proxy. Therefore, I am getting the usual spp_portscan2 traffic:
[snort] (spp_portscan2) Portscan detected from <BorderManager>: 1 targets 21 ports in 41 seconds

I get about 10 or 12 an hour. I have found many references to this situation. I have followed much of the advice, but
seem to find myself chasing my tail. I have configured spp_portscan to ignore hosts and specified my BM, but this had
no effect on portscan2. I have put the same ignore hosts command for the portscan2 as someone had suggested, but that
didn't work either. The only thing I haven't tried yet, was someone suggested downloading his personal code that would
allow you to do an ignore ports setting for portscan2. It involves compiling the software which I am unfamiliar with.
That's why I used the binary on Windows. Not to mention, I am a little weary about trusting such a situation. Any
help would be greatly appreciated! Also, thank you all for contributing so much! The archives have already solved
many problems for me.

Dane Howard

-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spp_portscan2 proxy alerts gr8dane2 (Jan 13)
- RE: spp_portscan2 proxy alerts Dane Howard (Jan 13)
- Re: spp_portscan2 proxy alerts Erek Adams (Jan 13)
  - DNS on Log Messsages? Mike Koponick (Jan 14)
    - Re: DNS on Log Messsages? Erek Adams (Jan 14)
    - Re: DNS on Log Messsages? spy guy (Jan 15)