[Snort-users] False FTP Portscans

Kevin k_bogac at ...131...
Thu Sep 14 12:46:17 EDT 2000


I'll live with the danger for now. I had over 1500
alerts from this before 9:00 this morning. That's a
lot of noise.
Thanks

--- Christopher Cramer <cec at ...68...> wrote:
> 
> Without putting words into Patrick's mouth (or his
> code), I believe the
> next version of the portscan preprocessor will allow
> you to more tightly
> specify which things to ignore.  One thing to be
> careful of, what if I
> choose to scan your network by setting my src
> address to a well known port
> (e.g. 20)?
> 
> -Chris
> 
>
----------------------------------------------------------------------
> Dr. Christopher E. Cramer
> Assistant Research Professor
> Duke University, Department of Electrical and
> Computer Engineering
> 114 Hudson Hall, Box 90291, Durham, NC  27708-0291
> PH:  919-660-5248     FAX:  919-660-5293     email: 
> cec at ...68...
> 
> 
> On Wed, 13 Sep 2000, Kevin wrote:
> 
> > Does anyone know of a way to block a destination
> port
> > from generating alerts on the portscan
> pre-processor?
> > I get numerous false alerts from ftp servers
> trying to
> > establish data connections to our proxies on TCP
> port
> > 20. If I turn up the pre-processor counts high
> enough
> > to ignore them I miss everything else. These are
> valid
> > connections but during high loads the proxies seem
> to
> > be unable to accept the connections fast enough or
> > they ignore the connections for other reasons.
> Some
> > ftp servers will bang away for several minutes
> before
> > giving up. This generates tons of false alerts in
> the
> > logs. I'd like to just ignore TCP scans to TCP
> port
> > 20.
> > 
> > Thanks,
> > Kevin
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Mail - Free email you can access from
> anywhere!
> > http://mail.yahoo.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> >
>
http://lists.sourceforge.net/mailman/listinfo/snort-users
> > 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
>
http://lists.sourceforge.net/mailman/listinfo/snort-users


__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/



More information about the Snort-users mailing list