[Snort-users] NEWBIE: portscan tuning

eboo at ...2198... eboo at ...2198...
Thu Oct 25 23:45:06 EDT 2001


Hi all,

Sorry if this has been asked before. I've read the manual but still am not
sure what I am doing wrong.

I get portscan alerts from snort when I access the web:

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from a.b.c.d
(THRESHOLD 5 connections exceeded in 6 seconds) [**]
10/17-17:14:52.252947

/etc/snort/snort.conf:

var DNS_SERVERS a.b.c.d

preprocessor portscan: $HOME_NET 4 3 portscan.log
(i've also tried commenting out the above line, same effect)

preprocessor portscan-ignorehosts: $DNS_SERVERS


How do I prevent get snort to not report portscans from my machine or
any network which I specify?

Thanks.

Eric




More information about the Snort-users mailing list