Snort mailing list archives
suppress 'open port' on well-known services
From: "Roy Kidder" <rkidder () safelite net>
Date: Wed, 23 Feb 2005 12:35:38 -0500
I'm new to snort and have a question that I can't find an answer to. I've got a box up and running. I'm now trying to suppress the "normal" traffic on my network. Two big ones that I see happening are: * PCs browsing on TCP/80 * Mail servers sending on TCP/25 In these two instances, snort is alerting 122:27 "(portscan) Open Port". If I suppress 122:27, I could very well also suppress stuff I don't want to (ie a trojan connecting to an IRC box on tcp/1337). Can I write suppression statements based not only on gen_id, sig_id, and src/dst ip, but also include tcp or udp port? Or am I approaching this the wrong way? Thanks in advance, Roy Roy Kidder Network Engineer Safelite Glass Corp. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- suppress 'open port' on well-known services Roy Kidder (Feb 23)
- Re: suppress 'open port' on well-known services Jeremy Hewlett (Feb 23)