[Snort-users] disabling portscan false alarms for a certain port (137)

Steve.Evans at ...5369... Steve.Evans at ...5369...
Thu Mar 21 13:18:08 EST 2002


Hi all.

I'm getting the following :

Mar 21 10:01:03 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:07 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 3 connections across 3 hosts: TCP(0), UDP(3)
Mar 21 10:01:11 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)
Mar 21 10:01:15 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)
Mar 21 10:01:20 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:24 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 1 connections across 1 hosts: TCP(0), UDP(1)
Mar 21 10:01:28 linux snort[4308]: spp_portscan: portscan status from
192.168.1.3: 2 connections across 2 hosts: TCP(0), UDP(2)

Etc..

This node is not a DNS server.. and it's not the only node that I get
notified about.

The portscan.log looks like :

Mar 21 12:01:11 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:13 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:16 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:18 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:21 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:24 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:26 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:29 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:31 192.168.1.3:137 -> 192.168.1.130:137 UDP  
Mar 21 12:01:34 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:35 192.168.1.3:137 -> 192.168.1.21:137 UDP  
Mar 21 12:01:38 192.168.1.3:137 -> 192.168.1.130:137 UDP  

Etc..

Rather than ignoring all portscans from/to this host, I'd like to just be
able to ignore portscans on UDP port 137 (netbios?)

Is there a way to do this with snort (Version 1.8.1-RELEASE (Build 74))?

Thanks!

Steve..

PS, please reply directly, I'm not on the mailing list..




More information about the Snort-users mailing list