[Snort-users] False Portscan Alerts

Josha Bronson joshab at ...291...
Wed Aug 9 11:17:35 EDT 2000


Hi all,

This is my first post so forgive me if it has already been discussed. I just
started using Snort on my RH 6.2 box on my SDSL, and I am thrilled with the
results. 

The only issue is I get lots of false portscan alerts from FTP users. I have
the portscan preprocessor set up like so:

preprocessor portscan: w.x.y.z/14 5 3 /var/log/snort/portscan.log

The problem is FTP opens lots of high ports (usually between 3000-4000 TCP)
during the connection, and Snort keeps reporting these as port scans.

Is there anything I can do to prevent this? I don't want to ignore those
ports, or ignore the FTP users IP's if possible.

On another note: What is everyone's favorite Snort log parser? I have been
using SnortSnarf, which I like a lot.

Thanks in advance,

Josha




More information about the Snort-users mailing list