Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How to tell spp_portscan2 procesor to ignore ICMP events?

From: Jose Vicente Nunez Z <josevnz () newbreak com>
Date: 23 Sep 2003 11:54:03 -0400
Looks like this is what i was looking for!. Thanks a lot.

JV.

On Tue, 2003-09-23 at 11:23, Kreimendahl, Chad J wrote:

Survey says:

preprocessor conversation: allowed_ip_protocols 6 17, <rest of
conversation config>.....

The allowed_ip_protocols part followed by the protocols you want to
watch (separated by spaces).
 1  = ICMP
 6  = TCP
 17 = UDP


-----Original Message-----
From: Jose Vicente Nunez Z [mailto:josevnz () newbreak com] 
Sent: Monday, September 22, 2003 8:04 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] How to tell spp_portscan2 procesor to ignore ICMP
events?


Greetings,

Because of the last Microsoft virus, my snort sensor keeps reporting the
ICMP scans as portscans:

Info:          (spp_portscan2) Portscan detected from 216.159.9.41: 6
targets 6 ports in 0 seconds
Reference:     
Ofender:       216.159.9.41
Afected:       XX.YY.ZZ.WW
Impact:        1
Reporter:      192.168.0.251
Time sent:     Monday, September 22, 2003 8:56:26 AM EDT
Severity:      Indeterminate

Checking the snort log files i found this:

09/22-08:56:26.700768  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AA type: 8
code: 0 tgts: 6 event_id: 0
09/22-08:56:26.703816  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AB type: 8
code: 0 tgts: 7 event_id: 17330
09/22-08:56:26.718633  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AC type: 8
code: 0 tgts: 8 event_id: 17330
09/22-08:56:26.720693  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AD type: 8
code: 0 tgts: 9 event_id: 17330
09/22-08:56:26.734783  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AE type: 8
code: 0 tgts: 10 event_id: 17330
09/22-08:56:26.746651  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AF type: 8
code: 0 tgts: 11 event_id: 17330
09/22-08:56:26.766505  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AG type: 8
code: 0 tgts: 12 event_id: 17330
09/22-08:56:26.789508  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AN type: 8
code: 0 tgts: 13 event_id: 17330


I have no hope than the victims will ever install and antivirus to fix
the problem and because our network is well protected i just want to
ignore this type of ICMP scans. I checked the parameters for the
spp_portscan plugin, but no idea how to fix the issue.

Before i was getting the "Cyberkit ICMP" alerts, but i took those down
too.

Does anyone else experimented the same problem?

Thanks in advance,

-- 
Jose Vicente Nunez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator
http://www.newbreak.com



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: