[Snort-users] Snort portscan false positives?
Bob Van Cleef
vancleef at ...211...
Thu Oct 10 10:05:05 EDT 2002
On Wed, 9 Oct 2002, Erek Adams wrote:
> On 9 Oct 2002, Felipe Alfaro Solana wrote:
> > You say ps2 has no idea what my HOME_NET is... I have defined HOME_NET
> > on my "snort.conf" file as "var HOME_NET 192.168.0.0/24". Does ps2
> > ignore the value of this variable?
> I've only just perused the source, so don't take this as gospel. :-)
> >From what I see, none of the preprocessors check or care about the HOME_NET
> variable. This variable is used more in rules than anything else. If you'll
> look at the way you pass switches or parameters to plugins you'll notice that
> they all have statements in the .conf like 'portscan2-ignorehosts'. That's
> what they seem to look for when they are registered with Snort.
> I'd suggest setting something like 'portscan2-ignorehosts: $HOME_NET'. Since
> variable substitution is handled when the .conf is read, the statement passed
> into ps2 is 'portscan2-ignorehosts: 192.168.0.0/24'.
> If you don't want to put the whole HOME_NET in there, just add the single
> box(es) that is/are giving you issues.
I would simply like to ignore portscans based on the source port of 80.
After all, I am looking for internal systems doing scans, such as thosed
caused by virus infections. Since we are behind a NAT, maybe the correct
solution would be to make it 'portscan2-ignorehosts: !$HOME_NET'.
> Hope that helps!
> Erek Adams
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users