[Snort-users] portscan

Byron York byron at ...3288...
Wed Oct 10 07:08:15 EDT 2001


It could be DNS queries, but I don't know. In the conf file there is a
preprocessor portscan-ignorehosts. Put your internal IP address here and you
will not generate the false alarms from normal internal traffic. Also you can
bump up the threshold on the portscan preprocessor from 4 connections over 3
seconds to something higher.


alexus wrote:

> my snort detects way too much of so called "portscan" even from my very own
> ip
>
> Oct 10 00:51:07 box snort[605]: spp_portscan: portscan status from
> 66.92.98.145: 6 connections across 6 hosts: TCP(0), UDP(6)
> Oct 10 00:51:07 box /kernel: Oct 10 00:51:07 box snort[605]: spp_portscan:
> portscan status from 66.92.98.145: 6 connections across 6 hosts: TCP(0),
> UDP(6)
> Oct 10 00:52:01 box snort[605]: spp_portscan: portscan status from
> 66.92.98.145: 2 connections across 2 hosts: TCP(0), UDP(2)
>
> i assume that this is missconfiguration of some kind.. i do not portscan
> myself..
>
> any ideas?
>
> thank you in advance





More information about the Snort-users mailing list