[Snort-sigs] Spp portscan

Don Don at ...613...
Fri May 31 08:33:06 EDT 2002

as someone else answered, spp is the acronym for Snort Pre Processor, you
may want to look at some of the addresses that are generating some of those
alerts and see about ignoring those addresses, I ignore all addresses on my
home network reducing my alerts quite a bit, the line looks something like
First identify your home net using the variable like so
var $HOME_NET  - this means that your home net is anything on
I also get alot of alerts from my dns servers which i have identified as
var $DNS_SERVERS [,]
make changes to those line one at a time and run snort with no other options
except the snort.conf. read every line of the initialization screen, making
sure there are no errors, if you make a typo or have some error it will
usually either error out completely and not run, or at least give an error
line reading something like invalid xxx in rules or something to that
effect, if you get this, go back and change it to the correct syntax and try
again, add the ignorehosts line last like this

preprocessor portscan-ignorehosts: $HOME_NET $DNS_SERVERS

identifying your home net and setting the variables where necessary will
likely reduce your alerts quite a bit, especially the dns servers, they
seemed to have generated quite a number of alerts for me

hope this helps


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Matt
Sent: Thursday, May 30, 2002 11:24 PM
To: Snort
Subject: [Snort-sigs] Spp portscan

Hello All
Being a newbie to Snort I was wondering if someone could help me with a
question I had.

I use snort at home on my personal machines as a way to try to keep track of
whats going on. I havent been using it long only a few weeks ,I have read
all I can get my hands on and feel I have a nice basic understanding of it
and have begun to experiment with custom rules in attempt to maximize its
effectiveness for this application. I would like to build on what I have
learned so far and was wondering about recommended reading from the members
I am running snort on linux mandrake and win xp so i can see what
differences can be between the two os's.
The first question i have is what the heck is a spp portscan?
ive done searches  and dug for info but i dont get the big flick on these
since i get them so often here are they normal??
should i be worried (im thinking they are someone probing me but not 100 %
sure) is it just background noise from the internet ? can i / should i
modify my rules to ignore them?

I know this may sound stupid but i gotta start somewhere right?

Thanks in advance for all your comments

Sincere Thanks

Matthew S Barnes


Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list