Snort mailing list archives

sfpportscan - lots of false positives

From: Gordon Wallum via Snort-users <snort-users () lists snort org>
Date: Wed, 14 Aug 2019 17:22:00 -0600

Hello

I am working on enabling sfpportscan for our Snort deployment. After
enabling the preprocessor we received a HUGE amount of alerts.
Investigating, the alerts showed that the alert fired when only 1 port was
used.


     Example config in snort.conf
       preprocessor sfportscan: proto  { all } memcap { 10000000 }
sense_level
       { low }

     A screenshot is attached of the alert.

Does anyone have experience with the sfpportscan preprocessor? I have read
the README about whitelisting IP addresses etc... but can't find anything
on what I am experiencing

Thank you

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

sfpportscan - lots of false positives Gordon Wallum via Snort-users (Aug 14)
- <Possible follow-ups>
- sfpportscan - lots of false positives Gordon Wallum via Snort-users (Aug 14)