[Snort-users] Portscan from self?

Miller, Eoin Miller at ...6968...
Tue Oct 8 08:31:05 EDT 2002


im assuming your WAN interface does ip masquerading/hidden NAT. basically if you have 10 people sharing that one public address and they are all surfing the web, youre WAN interface is going to send out 10 different requests, all from that WAN interfaces IP, all from different ports, and the destination will be port 80. this triggers snorts portscan rule because one IP has contacted several different IP's in a very short amount of time, tweak the snort rules to stop this.

in your snort.conf file you will see this

var IGNORE_PORTSCAN [w.x.y.z,w.x.y.z]

just put in the IP's you want to be ignored in there and restart snort and you will be golden, put your DNS server IP's in there too, along with your wan interface to cut down the these chatty alerts.

> -----Original Message-----
> From: Marc Thomas [mailto:marc at ...7103...]
> Sent: Tuesday, October 08, 2002 11:13 AM
> To: Snort-users
> Subject: [Snort-users] Portscan from self?
> 
> 
> Hello,
> 
> I keep getting the following:
> 
> spp_portscan: PORTSCAN DETECTED from w.x.y.z (THRESHOLD 4 connections
> exceeded in 2 seconds)
> Oct  8 10:06:15 noc snort: spp_portscan: portscan status from 
> w.x.y.z: 6
> connections across 6 hosts: TCP(6), UDP(0)
> Oct  8 10:06:30 noc snort: spp_portscan: portscan status from 
> w.x.y.z: 1
> connections across 1 hosts: TCP(1), UDP(0)
> Oct  8 10:06:38 noc snort: spp_portscan: portscan status from 
> w.x.y.z: 2
> connections across 2 hosts: TCP(2), UDP(0)
> 
> w.x.y.z being my WAN interface.
> 
> Whats causing this? Anything I can do to stop it?
> 
> btw, using snort version 1.9.0 on Debian woody
> 
> 
> Thanks,
> 
> Marc
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list