[Snort-users] Snort portscan false positives?

Bob Van Cleef vancleef at ...211...
Thu Oct 10 10:05:05 EDT 2002

On Wed, 9 Oct 2002, Erek Adams wrote:

> On 9 Oct 2002, Felipe Alfaro Solana wrote:
> > You say ps2 has no idea what my HOME_NET is... I have defined HOME_NET
> > on my "snort.conf" file as "var HOME_NET". Does ps2
> > ignore the value of this variable?
> I've only just perused the source, so don't take this as gospel.  :-)
> >From what I see, none of the preprocessors check or care about the HOME_NET
> variable.  This variable is used more in rules than anything else.  If you'll
> look at the way you pass switches or parameters to plugins you'll notice that
> they all have statements in the .conf like 'portscan2-ignorehosts'.  That's
> what they seem to look for when they are registered with Snort.
> I'd suggest setting something like 'portscan2-ignorehosts: $HOME_NET'.  Since
> variable substitution is handled when the .conf is read, the statement passed
> into ps2 is 'portscan2-ignorehosts:'.
> If you don't want to put the whole HOME_NET in there, just add the single
> box(es) that is/are giving you issues.

I would simply like to ignore portscans based on the source port of 80.
After all, I am looking for internal systems doing scans, such as thosed
caused by virus infections.  Since we are behind a NAT, maybe the correct
solution would be to make it 'portscan2-ignorehosts: !$HOME_NET'.


> Hope that helps!
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list