[Snort-users] portscans of the broadcast address?

Alberto Gonzalez ag-snort at ...7149...
Fri Oct 11 17:20:04 EDT 2002

how do you want to 'block' them? you want it to stop alerting? or you 
want to block them via 'dropping' packets?

check out portscan2-ignorehosts, its the same function that preprocessor 
portscan had.
That seems like what your attempting todo.

Hope it helps... Just my 8cents, the other 2 are free! :-)

    - Albert

Bob Van Cleef wrote:

>I am seeing these false positives. I suspect they may be rwhod broadcasts,
>but am not how to verify this and where I would block them in the
>configuration files.
>[**] [117:1:1] (spp_portscan2) Portscan detected from 6 
>targets 6 ports in 50 seconds [**]
>10/11-15:50:18.538938 ->
>UDP TTL:64 TOS:0x0 ID:17338 IpLen:20 DgmLen:88
>Len: 68
The secret to success is to start from scratch and keep on scratching.

More information about the Snort-users mailing list