[Snort-users] Question about preprocessor portscan and ignori ng ports

Jean-Philippe Grenier jgrenier at ...1106...
Thu Jan 18 12:45:11 EST 2001


I thought it would of act this way. Well I can probably apply a BPF
and never send web and mail traffic to snort. This way I'm sure
that it will never go to the plugin.


Thanks, Jean-Philippe Grenier


-----Original Message-----
From: Joe McAlerney [mailto:joey at ...155...]
Sent: Thursday, January 18, 2001 12:29 PM
To: Jean-Philippe Grenier
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Question about preprocessor portscan and
ignoring ports


No, that won't work, because the plugin handles the traffic before it
gets sent to the rules engine.  There is no way to specify certain
destination ports to ignore traffic to, just hosts sending it.  You
could try lowering your threshold to the point where the web traffic
slips by, but (many) portscans are detected.  Keep in mind, someone can
evade it with a slow scan, so you might want to look into Spade to catch
some of those as well.

-Joe M.

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+

> Jean-Philippe Grenier wrote:
> 
> I would like to make sure if the preprocessor portscan works like I
> think it is.
> 
> If I use the preprocessor portscan and that I ignore some traffic,
> will the
> traffic been ignore will be count in the preprocessor portscan. Or in
> other
> words, is the traffic been ignore is ignored before or after the
> preprocessor
> portscan.
> 
> I only want to make sure that connections on our web servers will not
> be
> count in the preprocessor portscan.
> 
> Will the following configs do it ?
> 
> (from my config file)
> preprocessor portscan: 192.168.6.0/24 5 7 /var/log/snort_portscan.log
> 
> # ignore incoming traffic to web servers
> pass tcp any 80 <> any any
> pass tcp any 443 <> any any
> 
> # ignore outgoing traffic to email servers
> pass tcp any any <> any 25
> 
> Thanks, Jean-Philippe Grenier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010118/e3ad22cf/attachment.html>


More information about the Snort-users mailing list