[Snort-users] Portscan preprocessor and false positives

Ben Keepper lists at ...3351...
Tue Oct 15 19:05:04 EDT 2002


I didn't see this covered in the FAQ.

We are receiving a lot of spp:portscan alerts when internal users go to
sites like msn.com (go figure).  

All the separate banner ads are showing up as separate IP and the
portscan preprocessor fires.  I have tried increasing the threshholds to
no avail.

I could add HOME_NET to the ignore hosts variable, but would prefer to
just have the preprocessor for sensor ignore what it thinks are port
scans on port 80.

So can I get the portscan preprocessor to ignore to ignore port 80?

Thanks to everybody for your help.

Ben







More information about the Snort-users mailing list