[Snort-users] portscans of the broadcast address?
ag-snort at ...7149...
Fri Oct 11 17:20:04 EDT 2002
how do you want to 'block' them? you want it to stop alerting? or you
want to block them via 'dropping' packets?
check out portscan2-ignorehosts, its the same function that preprocessor
That seems like what your attempting todo.
Hope it helps... Just my 8cents, the other 2 are free! :-)
Bob Van Cleef wrote:
>I am seeing these false positives. I suspect they may be rwhod broadcasts,
>but am not how to verify this and where I would block them in the
>[**] [117:1:1] (spp_portscan2) Portscan detected from 220.127.116.11: 6
>targets 6 ports in 50 seconds [**]
>10/11-15:50:18.538938 18.104.22.168:513 -> 22.214.171.124:513
>UDP TTL:64 TOS:0x0 ID:17338 IpLen:20 DgmLen:88
The secret to success is to start from scratch and keep on scratching.
More information about the Snort-users