[Snort-sigs] spp_portscan2: portscan2-ignorehosts doesn't work

Roman Varga rva at ...1223...
Mon Jan 27 12:38:02 EST 2003


	Hello ;>

my snort installation (1.9.0) keeps reporting spp_portscan2 alerts all 
the time. Many of them are just apache-server:80 -> client:PORT, where 
PORT differs on each client. There are some examples at the end of mail.
I think this is just a part of server-cleint negotiation on which port 
to comunicate...

Question:
How do I force spp_portscan2 plugin to ignore specific 
source_host:source_port  of my local network?

I tried this, but it seems to be ignored - simply doesn't work!:
preprocessor portscan2-ignorehosts: 195.231.157.185


#144-(1-145)         [snort] (spp_portscan2) Portscan detected from 
195.231.157.185: 2 targets 21 ports in 28 seconds        2003-01-14 
07:43:52        195.231.157.185:80         212.50.138.202:10341 
TCP
#145-(1-146)         [snort] (spp_portscan2) Portscan detected from 
195.231.157.185: 3 targets 21 ports in 11 seconds        2003-01-14 
07:44:33        195.231.157.185:80         62.159.186.190:2341 
TCP
#146-(1-147)         [snort] (spp_portscan2) Portscan detected from 
195.231.157.185: 4 targets 21 ports in 39 seconds        2003-01-14 
07:46:04        195.231.157.185:80         217.236.94.253:61824 
TCP
#147-(1-148)         [snort] (spp_portscan2) Portscan detected from 
195.231.157.185: 4 targets 21 ports in 44 seconds        2003-01-14 
07:47:06        195.231.157.185:80         217.229.13.215:1121 
TCP

thank you in advance,
Roman





More information about the Snort-sigs mailing list