[Snort-users] False FTP Portscans

Christopher Cramer cec at ...68...
Wed Sep 13 14:24:20 EDT 2000

Without putting words into Patrick's mouth (or his code), I believe the
next version of the portscan preprocessor will allow you to more tightly
specify which things to ignore.  One thing to be careful of, what if I
choose to scan your network by setting my src address to a well known port
(e.g. 20)?


Dr. Christopher E. Cramer
Assistant Research Professor
Duke University, Department of Electrical and Computer Engineering
114 Hudson Hall, Box 90291, Durham, NC  27708-0291
PH:  919-660-5248     FAX:  919-660-5293     email:  cec at ...68...

On Wed, 13 Sep 2000, Kevin wrote:

> Does anyone know of a way to block a destination port
> from generating alerts on the portscan pre-processor?
> I get numerous false alerts from ftp servers trying to
> establish data connections to our proxies on TCP port
> 20. If I turn up the pre-processor counts high enough
> to ignore them I miss everything else. These are valid
> connections but during high loads the proxies seem to
> be unable to accept the connections fast enough or
> they ignore the connections for other reasons. Some
> ftp servers will bang away for several minutes before
> giving up. This generates tons of false alerts in the
> logs. I'd like to just ignore TCP scans to TCP port
> 20.
> Thanks,
> Kevin
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list