[Snort-users] Question about preprocessor portscan and ignoring ports

Joe McAlerney joey at ...155...
Thu Jan 18 12:28:34 EST 2001


No, that won't work, because the plugin handles the traffic before it
gets sent to the rules engine.  There is no way to specify certain
destination ports to ignore traffic to, just hosts sending it.  You
could try lowering your threshold to the point where the web traffic
slips by, but (many) portscans are detected.  Keep in mind, someone can
evade it with a slow scan, so you might want to look into Spade to catch
some of those as well.

-Joe M.

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+

> Jean-Philippe Grenier wrote:
> 
> I would like to make sure if the preprocessor portscan works like I
> think it is.
> 
> If I use the preprocessor portscan and that I ignore some traffic,
> will the
> traffic been ignore will be count in the preprocessor portscan. Or in
> other
> words, is the traffic been ignore is ignored before or after the
> preprocessor
> portscan.
> 
> I only want to make sure that connections on our web servers will not
> be
> count in the preprocessor portscan.
> 
> Will the following configs do it ?
> 
> (from my config file)
> preprocessor portscan: 192.168.6.0/24 5 7 /var/log/snort_portscan.log
> 
> # ignore incoming traffic to web servers
> pass tcp any 80 <> any any
> pass tcp any 443 <> any any
> 
> # ignore outgoing traffic to email servers
> pass tcp any any <> any 25
> 
> Thanks, Jean-Philippe Grenier




More information about the Snort-users mailing list