[Snort-sigs] spp_portscan2: portscan2-ignorehosts doesn't work

Matt Kettler mkettler at ...1208...
Mon Jan 27 13:34:03 EST 2003


Although you in theory should not need the cidr mask per snort convention, 
give the following a try:

preprocessor portscan2-ignorehosts: 195.231.157.185/32

see if that works any better.

At 11:06 AM 1/23/2003 +0530, Roman Varga wrote:

>         Hello ;>
>
>my snort installation (1.9.0) keeps reporting spp_portscan2 alerts all the 
>time. Many of them are just apache-server:80 -> client:PORT, where PORT 
>differs on each client. There are some examples at the end of mail.
>I think this is just a part of server-cleint negotiation on which port to 
>comunicate...
>
>Question:
>How do I force spp_portscan2 plugin to ignore specific 
>source_host:source_port  of my local network?
>
>I tried this, but it seems to be ignored - simply doesn't work!:
>preprocessor portscan2-ignorehosts: 195.231.157.185
>
>
>#144-(1-145)         [snort] (spp_portscan2) Portscan detected from 
>195.231.157.185: 2 targets 21 ports in 28 seconds        2003-01-14 
>07:43:52        195.231.157.185:80         212.50.138.202:10341 TCP
>#145-(1-146)         [snort] (spp_portscan2) Portscan detected from 
>195.231.157.185: 3 targets 21 ports in 11 seconds        2003-01-14 
>07:44:33        195.231.157.185:80         62.159.186.190:2341 TCP
>#146-(1-147)         [snort] (spp_portscan2) Portscan detected from 
>195.231.157.185: 4 targets 21 ports in 39 seconds        2003-01-14 
>07:46:04        195.231.157.185:80         217.236.94.253:61824 TCP
>#147-(1-148)         [snort] (spp_portscan2) Portscan detected from 
>195.231.157.185: 4 targets 21 ports in 44 seconds        2003-01-14 
>07:47:06        195.231.157.185:80         217.229.13.215:1121 TCP
>
>thank you in advance,
>Roman





More information about the Snort-sigs mailing list