Re: [Snort-users] Preprocessor PortScan2 is not doing what it.....

From: Alberto Gonzalez <albertg(at)wwjh.net>
Date: Sat Mar 15 2003 - 01:35:20 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Hello,

Hello { yawn... }

>
> I ran into a problem with "preprocessor portscan2",My snort.conf file is

When you put $eth0_ADDRESS into ignorehosts, you're telling spp_portscan2 to ignore all portscans from that host. So outbound portscans (web-traffic) will be ignored. Which is what you want. I don't know if it matches for both source and destination, or either or, so I can't verify that putting $eth0_ADDRESS might ignore ALL traffic.

What you might want to try is adding a pass rule, or using bpf filters in a file or in the command line to ignore web-traffic while still logging portscans via spp_portscan2.

preprocessor portscan2-ignorehosts: 68.50.189.203/32 is my configuration, and I still see portscans. Try adding CIDR notation to it?

Here is an example for illustration:

snort <command line options> 'not port 80 && not port 443 && not host x.x.x.x'

> [snort] (spp_portscan2) Portscan detected from 152.175.40.197: 1 targets 16

 Cheers,
 Alberto Gonzalez

• -- "Success comes to the person who does today, what you are thinking of doing tomorrow."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+csmra3vAB/3yp/IRAq+7AJwIeqndo4NWIfK8XGp6KuUErS/K0wCgsJ2Z 9npvHVq8SBOV6YMs3qpCOx8=
=mGc2
-----END PGP SIGNATURE-----

---

This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Sat Mar 15 01:41:52 2003