[Snort-users] Portscan plugin
alambert at ...387...
Thu Oct 5 15:10:02 EDT 2000
I'm trying to track down info on the portscan plugin module. I'm
having problems with it in the following case (note: these are problems
related to what I'm trying to do with it; not bugs in the portscan plugin
I've got a datacenter that's doing some highly "chatty" things
over TCP, includeing using some specialized packets with reserved bits
set. The problem I'm having is that no mater what I put in the
preprocessor portscan-ignorehosts:, these reserved bit packets seem to be
still setting off STEALTH scan alerts (at the rate of about 1-2 per
So, the two possibilities I've come up with to make the flood of
bogus warnings stop are:
1. Put in a pass rule for the hosts that are doing this chatty traffic.
2. Turn off the portscan plugin, and use a modified scan-lib to pick up
portscan activity around this datacenter.
I'm not positive, but I don't think I can do option 1., unless
snort checks the rules file FIRST, and the portscan plugin SECOND.
So, I guess my questions are:
1. Does portscan detection happen before or after pass rules in the rules
2. Does anyone have a better suggestion for what to do about this problem
Thanks in advance, and apologies for being confusing. :)
More information about the Snort-users