Snort mailing list archives
Re: Help with noisy alerts for known application
From: Daniel Shepherd <shepdelacreme () gmail com>
Date: Fri, 8 Apr 2011 15:04:17 -0400
That is an alert generated by the portscan preprocessor. Check out the
README.sfportscan doc for details on tuning the preprocessor but it
looks like you could use the
* ignore_scanned { <ip1|ip2/cidr[ [port1|port2-port3]]> }
parameter to tune out incoming scans to specific hosts/ports.
Here is a link to the doc online.
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.sfportscan?rev=HEAD&content-type=text/plain
On Fri, Apr 8, 2011 at 2:26 PM, Geoff Sweet <geoff.sweet () wemadeusa com> wrote:
When we first implemented Snort we found that we were generating tons of alerts from our games. That was to be expected and so we started digging in to try to quiet down the alerts. The very first thing that we trimmed was the “COMMUNITY SIP TCP/IP message flooding directed to SIP proxy” alert that was thrown for basically every single connection to our game. A bit of reading in the old snort forum said that getting rid of that rule was ok so I commented it out of the rule file. So after a bit of reading online I came up with two rule files that describe our two primary games, and from the reading set them to “pass” so that Snort would recognize the traffic and quietly pass it. The rules look like this: /etc/snort/rules$ cat wemade-mir3.rules pass tcp $EXTERNAL_NET any -> any 7000 (msg:"MIR3 Application";) pass udp $EXTERNAL_NET any -> any 7000 (msg:"MIR3 Application";) pass tcp $EXTERNAL_NET any -> any 7100 (msg:"MIR3 Application";) pass udp $EXTERNAL_NET any -> any 7100 (msg:"MIR3 Application";) pass tcp $EXTERNAL_NET any -> any 7101 (msg:"MIR3 Application";) pass udp $EXTERNAL_NET any -> any 7101 (msg:"MIR3 Application";) pass tcp $EXTERNAL_NET any -> any 7200 (msg:"MIR3 Application";) pass tcp $EXTERNAL_NET any -> any 7201 (msg:"MIR3 Application";) pass tcp $EXTERNAL_NET any -> any 7202 (msg:"MIR3 Application";) pass tcp $EXTERNAL_NET any -> any 7203 (msg:"MIR3 Application";) pass tcp $EXTERNAL_NET any -> any 7204 (msg:"MIR3 Application";) pass tcp $EXTERNAL_NET any -> any 7205 (msg:"MIR3 Application";) pass udp $EXTERNAL_NET any -> any 7200 (msg:"MIR3 Application";) pass udp $EXTERNAL_NET any -> any 7201 (msg:"MIR3 Application";) pass udp $EXTERNAL_NET any -> any 7202 (msg:"MIR3 Application";) pass udp $EXTERNAL_NET any -> any 7203 (msg:"MIR3 Application";) pass udp $EXTERNAL_NET any -> any 7204 (msg:"MIR3 Application";) pass udp $EXTERNAL_NET any -> any 7205 (msg:"MIR3 Application";) /etc/snort/rules$ cat joymax-silkroads.rules pass tcp $EXTERNAL_NET any -> any 15779 (msg:"Silkroads Online";) pass tcp $EXTERNAL_NET any -> any 12989 (msg:"Silkroads Online";) pass tcp $EXTERNAL_NET any -> any 15021 (msg:"Silkroads Online";) pass tcp $EXTERNAL_NET any -> any 15020 (msg:"Silkroads Online";) The problem at this point is that every connection to the games generates a portscan alert. I have over 220K of them in a 12 hour period. I was under the assumption from the documentation that by creating this rule with the specific ports listed and the action as “pass” that snort wouldn’t raise an alert. Am I doing something wrong with this rule? All the alerts are marked with the signature “(portscan) Open Port: [whatever game port from above]” and links to http://www.snortid.com/snortid.asp?QueryId=122-27 Any help would be greatly appreciated. -Geoff ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with noisy alerts for known application Geoff Sweet (Apr 08)
- Re: Help with noisy alerts for known application Daniel Shepherd (Apr 08)
- Re: Help with noisy alerts for known application Joel Esler (Apr 08)
- Re: Help with noisy alerts for known application Geoff Sweet (Apr 10)
- Re: Help with noisy alerts for known application Daniel Shepherd (Apr 10)
- Re: Help with noisy alerts for known application Jason Wallace (Apr 11)
- Re: Help with noisy alerts for known application Geoff Sweet (Apr 10)