[Snort-users] False FTP Portscans
k_bogac at ...131...
Wed Sep 13 10:51:05 EDT 2000
Does anyone know of a way to block a destination port
from generating alerts on the portscan pre-processor?
I get numerous false alerts from ftp servers trying to
establish data connections to our proxies on TCP port
20. If I turn up the pre-processor counts high enough
to ignore them I miss everything else. These are valid
connections but during high loads the proxies seem to
be unable to accept the connections fast enough or
they ignore the connections for other reasons. Some
ftp servers will bang away for several minutes before
giving up. This generates tons of false alerts in the
logs. I'd like to just ignore TCP scans to TCP port
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
More information about the Snort-users