Snort mailing list archives

Previous By Date Next
Previous By Thread Next

portscan2 false positives from web browsing

From: Ricky Charlet <rcharlet () speakeasy net>
Date: Mon, 18 Aug 2003 15:28:25 -0700
Howdy,
(I think) If I browse any web site which has banner adds, then the portscan2 preprosessor alarms with someting like: 
=========cut =========
Aug 18 15:21:05 dsl081-066-008 snort: [117:1:1] (spp_portscan2) Portscan detected from <MY_IP_ADDRESS>: 6 targets 6 ports in 13 seconds {TCP} <MY_IP_ADDRESS>:56541 -> <ADDRESS_OF_BANNER_ADD_SERVER?>:80 
=========paste=============
This produces a lot of false positive "portscan detected" events in my logs. Is there a way to ignore portscans ORIGINATING from my host AND targeted to port 80? 

---
Ricky Charlet
rcharlet () alumni calpoly edu
510.324.3163



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: