[Snort-users] Snort portscan false positives?

Felipe Alfaro Solana snort at ...7121...
Wed Oct 9 14:40:04 EDT 2002


You say ps2 has no idea what my HOME_NET is... I have defined HOME_NET
on my "snort.conf" file as "var HOME_NET 192.168.0.0/24". Does ps2
ignore the value of this variable?

On Wed, 2002-10-09 at 22:00, Erek Adams wrote:

> The reason that portscan2 is flagging that as a scan is there are 'more than
> x connections to y targets.'  Since ps2 has no idea of what your HOME_NET is,
> it sees the connections and flags them, even though they are coming from you.
> 
> Just define portscan2-ignorehosts with your IP and all should be well.
> 
> Cheers!
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net





More information about the Snort-users mailing list