[Snort-users] Portscan: ignoreports option
erek at ...577...
Sun Feb 10 18:49:03 EST 2002
On Sun, 10 Feb 2002, Andy Leigh wrote:
> BPF filters seemed a good way to go as well, but when I tried to put a
> filter together I became discouraged. The portscan is mostly being tripped
> off each Windows 9x client trying boot-up and log in. The first time you
> analyse how it does it, your jaw drops. For a network with only one PDC or a
> PDC + BDC, I'm certain that this is not a problem. What I see is this:
> Imagine 500 machines all booting up!
Dear lord.... I'm so glad I don't have to deal with that kind of 'fun'.
> I could put a BPF filter in on "any 135:139" going to all the addresses in
> the WINS boxes, but I think that I would then miss important other weird
> behaviour against the NetBIOS structure. A "Portscan: ignoreports" option
> would let me do all normal tracking, but not go made with W9x bootup
Yep, in the situation a ignoreports option would be the only thing that could
> By the way, all W9x clients do this behaviour with "administrator" as the
> logon ID. Given that the machines aren't logging in, they are just probing,
> I think this was irresponsible behaviour by the MS coders.
Well, It's not the optimum solution, but you could replace all those M$ boxes
with SunRays, *BSD boxes, Linux boxes, etc... :) Ok, it's a dream...
More information about the Snort-users