[Snort-users] RE: Portscan2 filtering suggestions - Snort 1.9.0 & acid

Beckett, Josh JBeckett at ...7082...
Wed Oct 9 13:48:03 EDT 2002

Just to clarify, I do have $HOME_NET and $IGNORE_PORTSCAN defined
properly, and the alerts are sourced on port 80 of the web server and
reply to the appropriate ephemeral ports on my home net.

Basically a scan alert triggering only on the web server's reply to my
user's outbound request, but not an alert on the original request nor
the multiple ports opening with the destination of the server's port 80.

I home that makes it more clear.


-----Original Message-----
From: Beckett, Josh 
Sent: Wednesday, October 09, 2002 1:38 PM
To: 'Snort-users at lists.sourceforge.net'
Subject: Portscan2 filtering suggestions - Snort 1.9.0 & acid

I'm trying to tune out the false positives triggered by my users going
to a website and the ensuing http conversation opening up many ports.

I've upped the portscan2 preprocessor port_limit value from default to
20 and then to 25.  Each time I increase the value, the alerts continue
to trigger at the new, higher threshold.

I understand what is going on at the tcp level but I am concerned that
the more I increase the threshold, the greater my chances of missing a
real scan.

In the reported alerts, the target value is always 1, which makes sense,
so I haven't messed with the portscan2 target value.  The alerts are
often under 5-10 seconds so adjusting the timeout would seem to have
little positive effect without an equal negative effect of increasing
the potential for missing true positives.

Any suggestions, thoughts, criticisms on what other adjustments I could
make (other than the obvious of keep crankin' up the port_limit and
lower the timeout)?

Josh Beckett

More information about the Snort-users mailing list