[Snort-users] portscans of the broadcast address?
erek at ...577...
Fri Oct 11 17:27:03 EDT 2002
On Fri, 11 Oct 2002, Bob Van Cleef wrote:
> I am seeing these false positives. I suspect they may be rwhod broadcasts,
> but am not how to verify this and where I would block them in the
> configuration files.
> [**] [117:1:1] (spp_portscan2) Portscan detected from 22.214.171.124: 6
> targets 6 ports in 50 seconds [**]
> 10/11-15:50:18.538938 126.96.36.199:513 -> 188.8.131.52:513
> UDP TTL:64 TOS:0x0 ID:17338 IpLen:20 DgmLen:88
> Len: 68
Depends on how you want to ignore them. There are generally two ways to
'ignore' things in snort: BPF filters and Pass rules. Since this is coming
from the portscan2 preprocessor, you could also use portscan2-ignorehosts.
More information about the Snort-users