[Snort-users] Portscan: ignoreports option

Erek Adams erek at ...577...
Sun Feb 10 18:49:03 EST 2002


On Sun, 10 Feb 2002, Andy Leigh wrote:

> BPF filters seemed a good way to go as well, but when I tried to put a
> filter together I became discouraged. The portscan is mostly being tripped
> off each Windows 9x client trying boot-up and log in. The first time you
> analyse how it does it, your jaw drops. For a network with only one PDC or a
> PDC + BDC, I'm certain that this is not a problem. What I see is this:

[...snip...]

*gack*

> Imagine 500 machines all booting up!

Dear lord....  I'm so glad I don't have to deal with that kind of 'fun'.

> I could put a BPF filter in on "any 135:139" going to all the addresses in
> the WINS boxes, but I think that I would then miss important other weird
> behaviour against the NetBIOS structure. A "Portscan: ignoreports" option
> would let me do all normal tracking, but not go made with W9x bootup
> behaviour.

Yep, in the situation a ignoreports option would be the only thing that could
save you.

> By the way, all W9x clients do this behaviour with "administrator" as the
> logon ID. Given that the machines aren't logging in, they are just probing,
> I think this was irresponsible behaviour by the MS coders.

Well, It's not the optimum solution, but you could replace all those M$ boxes
with SunRays, *BSD boxes, Linux boxes, etc...  :)  Ok, it's a dream...

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list