[Snort-users] Alert log entry

Matt Kettler mkettler at ...4108...
Thu Dec 26 18:52:02 EST 2002


look up the portscan preprocessor in your snort.conf

In a lan setting the default thresholds for the portscan preprocessor are 
going to be way too low. Really this preprocessor was designed for use in 
watching traffic come in to your lan from the internet, and not to watch 
traffic from between different nodes in your lan.

I'd strongly recommend completely disabling the portscan preprocessor, and 
using the portscan2 preprocessor of snort 1.9.0 and higher instead (you'll 
have to tweak it's settings a bit as well, but it's defaults are a bit more 
sane and it's a bit more flexible.)

If you must use the regular old one, you're going to have to bump up your 
thresholds and set your portscan_ignorehosts properly.


At 10:13 AM 12/27/2002 +0800, you wrote:
>Hi all
>
>i am snort new user.. need some help.
>
>from my log.. i am seeing many such entries.... is this normal in a LAN env
>of all win2000 Prof machines. Thank you
>12/10-15:23:40.976000 [**] [100:1:1]
><\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: PORTSCAN
>DETECTED on \Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118} from
>192.168.1.1 (THRESHOLD 10 connections exceeded in 3 seconds) [**]
>
>12/10-15:23:44.554000 [**] [100:1:1]
><\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: PORTSCAN
>DETECTED on \Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118} from
>192.168.1.2 (THRESHOLD 10 connections exceeded in 11 seconds) [**]
>
>12/10-15:23:46.148000 [**] [100:2:1]
><\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: portscan
>status from 192.168.2.1: 6 connections across 6 hosts: TCP(0), UDP(6) [**]
>
>12/10-15:23:46.148000 [**] [100:2:1]
><\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: portscan
>status from 192.168.2.2: 5 connections across 5 hosts: TCP(0), UDP(5) [**]
>
>12/10-15:23:46.164000 [**] [100:2:1]
><\Device\NPF_{A4EAC953-55E9-48C4-9B7A-D6150F32D118}> spp_portscan: portscan
>status from 192.168.2.3: 14 connections across 6 hosts: TCP(8), UDP(6) [**]
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list