[Snort-users] Really, *really* ignore a portscan.
roesch at ...421...
Fri Jan 26 10:54:55 EST 2001
Ok guys, here's how it works. Roman is right. :) If you want to filter
out something like portscans being set off by ECN traffic (which is what
it sounds like is going on), you should use a BPF filter that gets
applied at the pcap stage. Joe McAlerney posted a BPF filter to the dev
list yesterday that should fix the problem temporarily:
snort <command options> not 'tcp & 192 != 0'
Try that. The 'portscan-ignorehosts' directive won't work in this case
because it only filters out "normal" (SYN & UDP) portscans from the
indicated addresses, not stealth ones. This behavior should at least be
extended to reservedbits scans, perhaps all other scan types as well.
roman at ...438... wrote:
> The Snort execution sequence is a :
> pcap => pre-processor => processor => output facilities
> The alert/log/pass order only influences the behavior of the
> processor (i.e. the rules). However, the pre-processor "sees"
> the packet even before the rules engine is applied. Hence, why
> the -o switch has no effect.
> Perhaps you can do some host exclusions with BPF?
> > Sven Veckes wrote:
> > > > > Did you use the '-o' switch??
> > > > > Snort is doing the alerts befor passing the traffic. with this switch you
> > > > > can change the order
> > > I'm using this:
> > > var DNS_SERVERS [10.1.0.0/16]
> > > preprocessor portscan-ignorehosts: $DNS_SERVERS
> > > and it seems to work. For portscans.
> > I don't dispute that what you have above works, in fact it's the same
> > setup as what I have. What I'm curious about is whether with the
> > portscan preprocessor the '-o' flag has any effect or not.
> > It would seem to me that "preprocessor" implies that this is ran prior
> > to processing the ruleset.
> > Again, I don't know for sure, just a hunch...
> > --shawn
> > --
> > s h a w n m o y e r
> > shawn at ...1184...
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> This message was sent using Voicenet WebMail.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
roesch at ...421...
More information about the Snort-users