Snort mailing list archives
portscan2 false positives from web browsing
From: Ricky Charlet <rcharlet () speakeasy net>
Date: Mon, 18 Aug 2003 15:28:25 -0700
Howdy,(I think) If I browse any web site which has banner adds, then the portscan2 preprosessor alarms with someting like:
=========cut =========Aug 18 15:21:05 dsl081-066-008 snort: [117:1:1] (spp_portscan2) Portscan detected from <MY_IP_ADDRESS>: 6 targets 6 ports in 13 seconds {TCP} <MY_IP_ADDRESS>:56541 -> <ADDRESS_OF_BANNER_ADD_SERVER?>:80
=========paste=============This produces a lot of false positive "portscan detected" events in my logs. Is there a way to ignore portscans ORIGINATING from my host AND targeted to port 80?
--- Ricky Charlet rcharlet () alumni calpoly edu 510.324.3163 ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan2 false positives from web browsing Ricky Charlet (Aug 19)
- Re: portscan2 false positives from web browsing Matt Kettler (Aug 19)
- Re: portscan2 false positives from web browsing Erek Adams (Aug 19)