[Snort-users] Portscan: ignoreports option

Jon Hart jhart at ...2692...
Sat Feb 9 12:37:04 EST 2002


On Fri, Feb 08, 2002 at 09:46:45AM -0000, Andy Leigh wrote:
> Folks,
> 
> You can put a list into portscan_ignorehosts, but what would be very handy
> would be to have an option "portscan_ignoreports". In a large infrastructure
> with a lot of clients waking up and trying to find NetBIOS shares and BDCs,
> there's a lot of portscan noise all on the 138 and 139 ports. 
> 
> Is there an option or tweak I'm missing?

I had mentioned this some time back (maybe over the summer sometime?).

In my case, I really need to ignore scans that are generated from ftp
traffic.  We mirror a large number of sites, and we also get mirrored from
time to time.  The majority of this is done via anonymous ftp.  The
portscan logs can get quite unruley when the mirroring happens, but I at
least know that snort is doing its job.  What I need is a way to ignore
traffic that is generated from a mirroring.  I portscan-ignoreports would
do the trick.

The problem is that you may just be shooting yourself in the foot with a
directive like this.  If I had "portscan-ignoreports: 20" in my config
file, all an attacker would have to do to evade my IDS would be to send
traffic from port 20.  Thats assuming an ignoreports directive would only
apply to one of src_port or dst_port, but even that is open to debate.

Unless someone beats me to it, I'll plan on getting something together that
ignores certain ports once classes die down a bit.  

-jon




More information about the Snort-users mailing list