[Snort-users] portscans of the broadcast address?

Alberto Gonzalez ag-snort at ...7149...
Fri Oct 11 17:20:04 EDT 2002


how do you want to 'block' them? you want it to stop alerting? or you 
want to block them via 'dropping' packets?

check out portscan2-ignorehosts, its the same function that preprocessor 
portscan had.
That seems like what your attempting todo.

Hope it helps... Just my 8cents, the other 2 are free! :-)

    - Albert

Bob Van Cleef wrote:

>I am seeing these false positives. I suspect they may be rwhod broadcasts,
>but am not how to verify this and where I would block them in the
>configuration files.
>
>[**] [117:1:1] (spp_portscan2) Portscan detected from 192.86.7.22: 6 
>targets 6 ports in 50 seconds [**]
>10/11-15:50:18.538938 192.86.7.22:513 -> 192.86.7.255:513
>UDP TTL:64 TOS:0x0 ID:17338 IpLen:20 DgmLen:88
>Len: 68
>
>Bob
>
>  
>
-- 
The secret to success is to start from scratch and keep on scratching.






More information about the Snort-users mailing list