Snort mailing list archives
spp_portscan2 proxy alerts
From: <gr8dane2 () bellsouth net>
Date: Mon, 13 Jan 2003 15:41:43 -0500
If this message gets posted twice, I'm sorry, I accidently sent it from a different address and it got held. (Ok, I'll drink!) Hello, I'm trying to eliminate some false alerts and I know this one has been discussed, but I seem to be finding conflicting information and would like to know what your thoughts are. First, my setup: Sensor: Snort 1.9.0 -Win32 binary dled from Snort.org running on a Windows XP system. It sits between a Novell BorderManager firewall and my Lan. It is logging the information to a MySql server. I also have another sensor outside the firewall, but I'm not concerned with that for this problem. Server: Windows XP runing MySql 3.23.54 and ACID 0.9.6 b23 on IIS 5.1. The BorderManager server is setup as a proxy. Therefore, I am getting the usual spp_portscan2 traffic: [snort] (spp_portscan2) Portscan detected from <BorderManager>: 1 targets 21 ports in 41 seconds I get about 10 or 12 an hour. I have found many references to this situation. I have followed much of the advice, but seem to find myself chasing my tail. I have configured spp_portscan to ignore hosts and specified my BM, but this had no effect on portscan2. I have put the same ignore hosts command for the portscan2 as someone had suggested, but that didn't work either. The only thing I haven't tried yet, was someone suggested downloading his personal code that would allow you to do an ignore ports setting for portscan2. It involves compiling the software which I am unfamiliar with. That's why I used the binary on Windows. Not to mention, I am a little weary about trusting such a situation. Any help would be greatly appreciated! Also, thank you all for contributing so much! The archives have already solved many problems for me. Dane Howard ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan2 proxy alerts gr8dane2 (Jan 13)
- RE: spp_portscan2 proxy alerts Dane Howard (Jan 13)
- Re: spp_portscan2 proxy alerts Erek Adams (Jan 13)
- DNS on Log Messsages? Mike Koponick (Jan 14)
- Re: DNS on Log Messsages? Erek Adams (Jan 14)
- Re: DNS on Log Messsages? spy guy (Jan 15)
- DNS on Log Messsages? Mike Koponick (Jan 14)