[Snort-users] False FTP Portscans
k_bogac at ...131...
Thu Sep 14 12:46:17 EDT 2000
I'll live with the danger for now. I had over 1500
alerts from this before 9:00 this morning. That's a
lot of noise.
--- Christopher Cramer <cec at ...68...> wrote:
> Without putting words into Patrick's mouth (or his
> code), I believe the
> next version of the portscan preprocessor will allow
> you to more tightly
> specify which things to ignore. One thing to be
> careful of, what if I
> choose to scan your network by setting my src
> address to a well known port
> (e.g. 20)?
> Dr. Christopher E. Cramer
> Assistant Research Professor
> Duke University, Department of Electrical and
> Computer Engineering
> 114 Hudson Hall, Box 90291, Durham, NC 27708-0291
> PH: 919-660-5248 FAX: 919-660-5293 email:
> cec at ...68...
> On Wed, 13 Sep 2000, Kevin wrote:
> > Does anyone know of a way to block a destination
> > from generating alerts on the portscan
> > I get numerous false alerts from ftp servers
> trying to
> > establish data connections to our proxies on TCP
> > 20. If I turn up the pre-processor counts high
> > to ignore them I miss everything else. These are
> > connections but during high loads the proxies seem
> > be unable to accept the connections fast enough or
> > they ignore the connections for other reasons.
> > ftp servers will bang away for several minutes
> > giving up. This generates tons of false alerts in
> > logs. I'd like to just ignore TCP scans to TCP
> > 20.
> > Thanks,
> > Kevin
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Mail - Free email you can access from
> > http://mail.yahoo.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
More information about the Snort-users