[Snort-users] Portscan preprocessor and false positives

Ben Keepper lists at ...3351...
Wed Oct 16 06:40:02 EDT 2002


I must be missing it, because I thought I mentioned in my original post
that I didn't want to use portscan-ignore hosts.

Since it is a preprocessor, a pass rule won't work either, right?

Now, I haven't played with the BPF filters.  Based on the example on
your web page, it kind of looks like it might work, except that it is a
preprocessor generating the alerts, so I am not sure.

Since apparently I didn't get my point across earlier, what I am trying
to do is get the portscan preprocessor to ignore port 80, even better if
I can only ignore port 80 if the source is HOME_NET.

Any body know of way to do that?

(The client would like to watch their internal networks of portscans).

My original (bad) post is pasted to the end of this one.


On Tue, 2002-10-15 at 21:54, Erek Adams wrote:

On 15 Oct 2002, Ben Keepper wrote:

> I didn't see this covered in the FAQ.

Well...  Might want to read closer next time.  ;-)

http://www.snort.org/docs/faq.html#3.7
http://www.theadamsfamily.net/~erek/snort/ignore.txt

To be more specific:  Depending on what and how you want to ignore
things, you
might have to use multiple ways.  You might need to use BPF or you might
just
want a pass rule.  Since it's the portscan(2) preprocssor you should be
able
add in the portscan(2)-ignorehosts line and all should be well.

Check the archives at
http://marc.theaimsgroup.com/?l=snort-users&r=1&w=2 and
http://marc.theaimsgroup.com/?l=snort-devel&r=1&w=2 for a recent
discussion on
that.

I could be wrong, but I think that portscan2-ignorehosts isn't quite
working
at 100%.  Again, that's IMHO so it isn't gospel.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

*** Paladin Security Systems scanned this email for malicious content
***
*** IMPORTANT: Do not open attachments from unrecognized senders  ***

I didn't see this covered in the FAQ.

We are receiving a lot of spp:portscan alerts when internal users go to
sites like msn.com (go figure). 

All the separate banner ads are showing up as separate IP and the
portscan preprocessor fires.  I have tried increasing the threshholds to
no avail.

I could add HOME_NET to the ignore hosts variable, but would prefer to
just have the preprocessor for sensor ignore what it thinks are port
scans on port 80.

So can I get the portscan preprocessor to ignore to ignore port 80?

Thanks to everybody for your help.










More information about the Snort-users mailing list