[Snort-users] Port Scan Preprocessor and Noisy Systems

Brent Erickson erickson at ...239...
Fri Aug 18 11:16:14 EDT 2000


Try as I might, I cannot get the preprocessor to ignore my internal dns systems and other system management systems running SNMP. Most of the port scans are all UDP.

I am running Snort version 1.6.3 in our dmz. The preprocessor is ignoring the dmz dns servers but not our internal dns servers and system management machines.

I am also running pass rules for these noisy systems and running Snort as:

snort -b -o -A fast -l log -c snort-lib

Here is what snort-lib looks like:

var HOME_NET my.net.0.0/16

# set your DNS server IP (or whatever) so you don't show "portscans" from 

# that address

###############################################################################

# SET THIS VARIABLE TO AS IT APPLIES TO YOUR NETWORK!!!!

###############################################################################

var DNS_SERVER dmz.dns.a.b/32 dmz.dns.c.d/32 int.dns.a.b/32 dmz.netmon.a.b/32

var SYSTEM_MONITOR dmz.sysmon.a.b/32 int.sysmon.a.b/32 dmz.sysmon.c.d/32

#

# portscan plugin by Patrick Mullen <p_mullen at ...245...>

# This detects UDP packets or TCP SYN packets

# going to seven different ports in less than two seconds.

# "Stealth" TCP packets are always detected, regardless

# of these settings.

preprocessor portscan: $HOME_NET 7 5 portscan.log

# ignorehosts is set to ignore TCP SYN and UDP "scans" from

# your home net by default to reduce false alerts. However,

# for maximum benefit it should be tweaked to only include a

# whitespace-delimited list of only your noisiest servers/hosts.

preprocessor portscan-ignorehosts: $DNS_SERVER $SYSTEM_MONITOR

include 07272k.rules

include scan-lib

include vision.rules



Does anyone have any ideas ?? Should I raise the scan level threshold ?

Thank you for you help.



Brent Erickson



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000818/ca68d7e9/attachment.html>


More information about the Snort-users mailing list