[Snort-users] portscans of the broadcast address?

Erek Adams erek at ...577...
Fri Oct 11 17:27:03 EDT 2002

On Fri, 11 Oct 2002, Bob Van Cleef wrote:

> I am seeing these false positives. I suspect they may be rwhod broadcasts,
> but am not how to verify this and where I would block them in the
> configuration files.
> [**] [117:1:1] (spp_portscan2) Portscan detected from 6
> targets 6 ports in 50 seconds [**]
> 10/11-15:50:18.538938 ->
> UDP TTL:64 TOS:0x0 ID:17338 IpLen:20 DgmLen:88
> Len: 68

Depends on how you want to ignore them.  There are generally two ways to
'ignore' things in snort:  BPF filters and Pass rules.[0] Since this is coming
from the portscan2 preprocessor, you could also use portscan2-ignorehosts.


Erek Adams

[0]	http://www.theadamsfamily.net/~erek/snort/ignore.txt

More information about the Snort-users mailing list