Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: portscan2 false positives from web browsing

From: Erek Adams <erek () snort org>
Date: Tue, 19 Aug 2003 14:29:31 -0400 (EDT)
On Mon, 18 Aug 2003, Ricky Charlet wrote:


      (I think) If I browse any web site which has banner adds, then the
portscan2 preprosessor alarms with someting like:
=========cut =========
Aug 18 15:21:05 dsl081-066-008 snort: [117:1:1] (spp_portscan2)
Portscan detected from <MY_IP_ADDRESS>: 6 targets 6 ports in 13 seconds
{TCP} <MY_IP_ADDRESS>:56541 -> <ADDRESS_OF_BANNER_ADD_SERVER?>:80
=========paste=============

This produces a lot of false positive "portscan detected" events in my
logs. Is there a way to ignore portscans ORIGINATING from my host AND
targeted to port 80?


Portscan2 has ignorehosts and ignore{src,dst}ports directives.  Just use
that, or use a BPF filter to totally ignore traffic.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code=104
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: