Re: [Snort-users] unknown destination ip and portscan false alerts

From: Alberto Gonzalez <electron(at)wwjh.net>
Date: Sat Mar 08 2003 - 02:57:26 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[...snip...]

>
> Signature: portscan

use portscan-ignorehosts,
syntax is 'preprocessor portscan-ignorehosts: x.x.x.x'

> 2) i'm getting a lot of portscan alerts to and from

neither spp_portscan or portscan2 can take ports as arguments. bpf filters might be of use with different snort instances, though the bpf filters wouldn't just apply to portscans, it would apply to everything. I use the rules that come with snort to detect portscans, and I disable both preprocessors.

> How do I disable portscans from internal network to

You might want to run two instances of snort, one on your internet connected interface, the other on your internal interface. Each with a different configuration file. This would give you more control to what you want to see on each side. HTH!

Cheers!
  Alberto Gonzalez

• -- "Success comes to the person who does today, what you are thinking of doing tomorrow."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+aaJqORajRLkA7bARAm4gAJ99Mf6/ZOlzD6ooAO5AfS1NotpT3gCgn55L NXWmfnInVH3JKugQEcAADi4=
=Sued
-----END PGP SIGNATURE-----

---

This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Sat Mar 8 03:16:31 2003