Re: portscan2 false positives from web browsing

[Matt Kettler <mkettler () evi-inc com>]

At 03:28 PM 8/18/2003 -0700, Ricky Charlet wrote:
> Howdy,
>
>         (I think) If I browse any web site which has banner adds, then 
> the portscan2 preprosessor alarms with someting like:
> =========cut =========
> Aug 18 15:21:05 dsl081-066-008 snort: [117:1:1] (spp_portscan2) Portscan 
> detected from <MY_IP_ADDRESS>: 6 targets 6 ports in 13 seconds {TCP} 
> <MY_IP_ADDRESS>:56541 -> <ADDRESS_OF_BANNER_ADD_SERVER?>:80
> =========paste=============
>
> This produces a lot of false positive "portscan detected" events in my 
> logs. Is there a way to ignore portscans ORIGINATING from my host AND 
> targeted to port 80?

Yep, that's exactly what portscan2 should do.. in general, you probably 
want to ignore your local machines with a portscan2_ignorehosts statement.

Also, opening any page with a large number of small images can cause a 
browser to literally open hundreds of http connections in a 1 second time 
period. This makes it appear to portscan2 that said machines are doing a 
scan. It's completely impractical to use portscan2 without anything on the 
ignore list.





-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code=104
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users