[Snort-users] Question about preprocessor portscan and ignoring ports

Don Pierce don at ...1157...
Thu Jan 18 13:12:20 EST 2001


RE: [Snort-users] Question about preprocessor portscan and ignoring
portsSimple question. If I start up snort2bb.pl in verbose mode.
Where does the verbose information get stored?

Don
  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jean-Philippe
Grenier
  Sent: Thursday, January 18, 2001 9:45 AM
  To: 'Joe McAlerney'; Jean-Philippe Grenier
  Cc: 'snort-users at lists.sourceforge.net'
  Subject: RE: [Snort-users] Question about preprocessor portscan and
ignoring ports


  I thought it would of act this way. Well I can probably apply a BPF
  and never send web and mail traffic to snort. This way I'm sure
  that it will never go to the plugin.



  Thanks, Jean-Philippe Grenier



  -----Original Message-----
  From: Joe McAlerney [mailto:joey at ...155...]
  Sent: Thursday, January 18, 2001 12:29 PM
  To: Jean-Philippe Grenier
  Cc: 'snort-users at lists.sourceforge.net'
  Subject: Re: [Snort-users] Question about preprocessor portscan and
  ignoring ports



  No, that won't work, because the plugin handles the traffic before it
  gets sent to the rules engine.  There is no way to specify certain
  destination ports to ignore traffic to, just hosts sending it.  You
  could try lowering your threshold to the point where the web traffic
  slips by, but (many) portscans are detected.  Keep in mind, someone can
  evade it with a slow scan, so you might want to look into Spade to catch
  some of those as well.

  -Joe M.

  --
  +--                            --+
  | Joe McAlerney, Silicon Defense |
  | http://www.silicondefense.com/ |
  +--                            --+

  > Jean-Philippe Grenier wrote:
  >
  > I would like to make sure if the preprocessor portscan works like I
  > think it is.
  >
  > If I use the preprocessor portscan and that I ignore some traffic,
  > will the
  > traffic been ignore will be count in the preprocessor portscan. Or in
  > other
  > words, is the traffic been ignore is ignored before or after the
  > preprocessor
  > portscan.
  >
  > I only want to make sure that connections on our web servers will not
  > be
  > count in the preprocessor portscan.
  >
  > Will the following configs do it ?
  >
  > (from my config file)
  > preprocessor portscan: 192.168.6.0/24 5 7 /var/log/snort_portscan.log
  >
  > # ignore incoming traffic to web servers
  > pass tcp any 80 <> any any
  > pass tcp any 443 <> any any
  >
  > # ignore outgoing traffic to email servers
  > pass tcp any any <> any 25
  >
  > Thanks, Jean-Philippe Grenier

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010118/cf8fdfe0/attachment.html>


More information about the Snort-users mailing list