[Snort-devel] RFE: ignore_ports option for sfportscan preprocessor

Alex Butcher, ISC/ISYS Alex.Butcher at ...2437...
Mon Feb 14 05:56:04 EST 2005

--On 11 February 2005 07:31 -0800 Jay Beale <jay at ...2665...> wrote:

> Alex Butcher, ISC/ISYS wrote:
>> Hi -
>> As P2P traffic looks a lot like portscanning, it'd be nice to be able to
>> tell sfportscan to ignore the common P2P ports. Sadly, I suspect this
>> would be quite difficult to add with Snort <= 2.3.0.
>> Any comments?
>> Best Regards,
>> Alex.
> First, let me preface this by saying that I'm not one of the Snort
> developers.  What I outline below could be completely insane or
> inefficient.

Sorry - when I said 'difficult', I probably should have qualified that by 
adding 'to do efficiently'!

> The requirement itself might be the wrong way to go about
> the problem.

Indeed. Blocking P2P might well be a better option. ;-)

Thanks for your suggestions, anyway. I might have a hack around...

>   - Jay

Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-devel mailing list