suppress 'open port' on well-known services

["Roy Kidder" <rkidder () safelite net>]

I'm new to snort and have a question that I can't find an answer to.

I've got a box up and running. I'm now trying to suppress the "normal"
traffic on my network. Two big ones that I see happening are:

* PCs browsing on TCP/80
* Mail servers sending on TCP/25

In these two instances, snort is alerting 122:27 "(portscan) Open Port".

If I suppress 122:27, I could very well also suppress stuff I don't want to
(ie a trojan connecting to an IRC box on tcp/1337).

Can I write suppression statements based not only on gen_id, sig_id, and
src/dst ip, but also include tcp or udp port? Or am I approaching this the
wrong way?

Thanks in advance,
Roy



Roy Kidder
Network Engineer
Safelite Glass Corp.




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users