[Snort-users] False Portscan Alerts
joshab at ...291...
Wed Aug 9 11:17:35 EDT 2000
This is my first post so forgive me if it has already been discussed. I just
started using Snort on my RH 6.2 box on my SDSL, and I am thrilled with the
The only issue is I get lots of false portscan alerts from FTP users. I have
the portscan preprocessor set up like so:
preprocessor portscan: w.x.y.z/14 5 3 /var/log/snort/portscan.log
The problem is FTP opens lots of high ports (usually between 3000-4000 TCP)
during the connection, and Snort keeps reporting these as port scans.
Is there anything I can do to prevent this? I don't want to ignore those
ports, or ignore the FTP users IP's if possible.
On another note: What is everyone's favorite Snort log parser? I have been
using SnortSnarf, which I like a lot.
Thanks in advance,
More information about the Snort-users