[Snort-users] NEWBIE: portscan tuning

Legus eboo at ...2198...
Sat Oct 27 20:51:02 EDT 2001


Sorry, 

This problem is driving me crazy. Any help? Is my conf setting wrong
with respect to the portscan?

Please help, thanks.

* eboo at ...2198... (eboo at ...2198...) wrote:
> 
> Hi all,
> 
> Sorry if this has been asked before. I've read the manual but still am not
> sure what I am doing wrong.
> 
> I get portscan alerts from snort when I access the web:
> 
> [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from a.b.c.d
> (THRESHOLD 5 connections exceeded in 6 seconds) [**]
> 10/17-17:14:52.252947
> 
> /etc/snort/snort.conf:
> 
> var DNS_SERVERS a.b.c.d
> 
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> (i've also tried commenting out the above line, same effect)
> 
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> 
> 
> How do I prevent get snort to not report portscans from my machine or
> any network which I specify?
> 
> Thanks.
> 
> Eric
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list