[Snort-users] Port scan and MISC Large ICMP Packet

John Sage jsage at ...2022...
Mon Mar 4 08:20:10 EST 2002


"Spp_portscan signature" -- this is not from a rule, but rather from a
plugin - within snort.conf:

"# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen at ...245...>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings. 

preprocessor portscan: $HOME_NET 4 3 portscan.log"

Comment this out, and you should be good to go..


For the second, you might try writing a rule something like this:

#
pass tcp aaa.bbb.ccc.ddd/32 any <-> $HOME_NET any (msg:"TCP to/from aaa.bbb.ccc.ddd";)


and start snort with the -o flag to re-order the rules, checking
"pass" rules before "alert" rules...


HTH..

- John
-- 
Most people don't type their own logfiles;  but, what do I care?



On Mon, Mar 04, 2002 at 09:29:03AM -0500, CGI wrote:
> 1.I have o lot of Spp_portscan signature (snort and
> acid)and I would like to remove it. My sensor is
> working in a environment with load balacieng servers
> so port scanning is normal. Where is this signature
> because I didn't found it?
> 
> 2. I have a connection between a web-server and MSsql
> server on port 6000. the problem is the sensor is
> reacting on each transaction and the signature is MISC
> Large ICMP Packet. How can I separate the normal
> traffic and tell the sensor not to react?
> 
> Thanks 
> Jo




More information about the Snort-users mailing list