[Snort-users] portscan false alerts on NFS & ftp

Andrew Daviel andrew at ...523...
Sat Jun 2 18:49:33 EDT 2001


Is there a way to disable the portscan for NFS data transfers ?

I recently had a slightly embarrassing automatic alert sent to
a collaborating institution by my reporter script, triggered off
a legitimate NFS transfer as below. I have since fixed my script to
ignore source port 2049 but maybe it is/should be ignorable in SNort ?

(I know NFS across the Internet is deprecated, but we've been doing it for
years and it's Gb of non-sensitive data ... too difficult to change
everything...)


Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:719 UDP
Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:721 UDP
Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:723 UDP
Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:725 UDP
Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:603 UDP
Jun  2 01:27:08 x.y.36.33:2049 -> 142.90.a.b:605 UDP

On a similar vein I sometimes get scan alerts off big ftp data transfers.
I suspect that the snort system is losing some packets if it sees a SYN
only, or maybe the net's congested or something. Difficult to test.
I'd been ignoring scans to unprivileged ports in my script, but maybe
I should ignore source port 20. Again, can one ignore this in Snort ?

May 29 09:43:18 137.138.24.190:20 -> 142.90.100.68:2519 SYN ******S*
May 29 09:43:27 137.138.24.190:20 -> 142.90.100.68:2520 SYN ******S*
May 29 09:43:53 137.138.24.190:20 -> 142.90.100.68:2521 SYN ******S*
May 29 09:44:08 137.138.24.190:20 -> 142.90.100.68:2522 SYN ******S*
May 29 09:44:15 137.138.24.190:20 -> 142.90.100.68:2523 SYN ******S*
May 29 09:44:58 137.138.24.190:20 -> 142.90.100.68:2526 SYN ******S*
May 29 09:46:36 137.138.24.190:20 -> 142.90.100.68:2527 SYN ******S*


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...





More information about the Snort-users mailing list