[Snort-users] Portscan plugin

A.L.Lambert alambert at ...387...
Thu Oct 5 15:10:02 EDT 2000


	I'm trying to track down info on the portscan plugin module.  I'm
having problems with it in the following case (note: these are problems
related to what I'm trying to do with it; not bugs in the portscan plugin
(I think)).

	I've got a datacenter that's doing some highly "chatty" things
over TCP, includeing using some specialized packets with reserved bits
set.  The problem I'm having is that no mater what I put in the
preprocessor portscan-ignorehosts:, these reserved bit packets seem to be
still setting off STEALTH scan alerts (at the rate of about 1-2 per
second).

	So, the two possibilities I've come up with to make the flood of
bogus warnings stop are:

1.  Put in a pass rule for the hosts that are doing this chatty traffic.
2.  Turn off the portscan plugin, and use a modified scan-lib to pick up
portscan activity around this datacenter.

	I'm not positive, but I don't think I can do option 1., unless
snort checks the rules file FIRST, and the portscan plugin SECOND.  

	So, I guess my questions are:

1.  Does portscan detection happen before or after pass rules in the rules
files?

2.  Does anyone have a better suggestion for what to do about this problem
I'm having?

	Thanks in advance, and apologies for being confusing. :)

-- A.L.Lambert






More information about the Snort-users mailing list