[Snort-users] False FTP Portscans

Martin Roesch roesch at ...421...
Wed Sep 13 12:21:58 EDT 2000


Prefilter the traffic using the BPF interface.

snort <args> not src port 20

You could also put that (not src port 20) into a file and load it at runtime
with the -F switch.

    -Marty

Kevin wrote:
> 
> Does anyone know of a way to block a destination port
> from generating alerts on the portscan pre-processor?
> I get numerous false alerts from ftp servers trying to
> establish data connections to our proxies on TCP port
> 20. If I turn up the pre-processor counts high enough
> to ignore them I miss everything else. These are valid
> connections but during high loads the proxies seem to
> be unable to accept the connections fast enough or
> they ignore the connections for other reasons. Some
> ftp servers will bang away for several minutes before
> giving up. This generates tons of false alerts in the
> logs. I'd like to just ignore TCP scans to TCP port
> 20.
> 
> Thanks,
> Kevin
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list