[Snort-users] spp_portscan msg

Erek Adams erek at ...577...
Tue Jun 11 10:51:03 EDT 2002


On Fri, 7 Jun 2002 DICEJ at ...6047... wrote:

> I recently began using snort and I'm trying to sort out the msg
> you get.  One that keeps comming up is a spp_portscan.  I can not find
> the alert that records the msg. any idea?  I know this is a false because the
> machine identified in the error is my nat/firewall external interface.

There isn't an alert.

It's from a pre-processor.  Read thru the snort.conf file.  There are explicit
instructions on how to add a 'portscan ignorehost' to the .conf--Which is what
you seem to want to do.

And those alerts might be false, might not be....  Someone could be spoofing
your address....  :)  C'mon, ya gotta be paranoid a little bit!  :)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list