[Snort-sigs] Spp portscan

Don Don at ...613...
Fri May 31 08:33:06 EDT 2002


Matt,
as someone else answered, spp is the acronym for Snort Pre Processor, you
may want to look at some of the addresses that are generating some of those
alerts and see about ignoring those addresses, I ignore all addresses on my
home network reducing my alerts quite a bit, the line looks something like
this
First identify your home net using the variable like so
var $HOME_NET 192.168.0.0/24  - this means that your home net is anything on
192.168.0.x
I also get alot of alerts from my dns servers which i have identified as
var $DNS_SERVERS [192.168.0.1/32,172.10.0.1/32]
make changes to those line one at a time and run snort with no other options
except the snort.conf. read every line of the initialization screen, making
sure there are no errors, if you make a typo or have some error it will
usually either error out completely and not run, or at least give an error
line reading something like invalid xxx in rules or something to that
effect, if you get this, go back and change it to the correct syntax and try
again, add the ignorehosts line last like this

preprocessor portscan-ignorehosts: $HOME_NET $DNS_SERVERS

identifying your home net and setting the variables where necessary will
likely reduce your alerts quite a bit, especially the dns servers, they
seemed to have generated quite a number of alerts for me

hope this helps

Don


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Matt
Sent: Thursday, May 30, 2002 11:24 PM
To: Snort
Subject: [Snort-sigs] Spp portscan


Hello All
Being a newbie to Snort I was wondering if someone could help me with a
question I had.

I use snort at home on my personal machines as a way to try to keep track of
whats going on. I havent been using it long only a few weeks ,I have read
all I can get my hands on and feel I have a nice basic understanding of it
and have begun to experiment with custom rules in attempt to maximize its
effectiveness for this application. I would like to build on what I have
learned so far and was wondering about recommended reading from the members
here
I am running snort on linux mandrake and win xp so i can see what
differences can be between the two os's.
The first question i have is what the heck is a spp portscan?
ive done searches  and dug for info but i dont get the big flick on these
since i get them so often here are they normal??
should i be worried (im thinking they are someone probing me but not 100 %
sure) is it just background noise from the internet ? can i / should i
modify my rules to ignore them?

I know this may sound stupid but i gotta start somewhere right?

Thanks in advance for all your comments

Sincere Thanks

Matthew S Barnes


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list