[Snort-users] Portscan preprocessor and false positives

Bennett Todd bet at ...6163...
Wed Oct 16 08:50:05 EDT 2002

2002-10-16-09:39:09 Ben Keepper:
> I must be missing it, because I thought I mentioned in my original post
> that I didn't want to use portscan-ignore hosts.

Ok, I can see that; presumably this would be because you still want
to see non-port-80 portscans for these hosts.

> Since it is a preprocessor, a pass rule won't work either, right?


> Now, I haven't played with the BPF filters.  Based on the example on
> your web page, it kind of looks like it might work, except that it is a
> preprocessor generating the alerts, so I am not sure.

BPF will indeed work here; while pass rules don't get handled before
preprocessors, BPF does: it's logically down below the network read
process, it's front-end filtering. The stream of packets fed up to
snort, for consideration by preprocessors and pass/alert/log rules
in whatever order, is first filtered by your BPF expression if any.

> Since apparently I didn't get my point across earlier, what I am trying
> to do is get the portscan preprocessor to ignore port 80, even better if
> I can only ignore port 80 if the source is HOME_NET.

Let us suppose your HOME_NET is; then the BPF should
I believe be something like

	src net and ip proto tcp and dst port 80

The second and third clauses could be collapsed to "dst port http",
except that at least my /etc/services has both 80/tcp and 80/udp for
http, so you need the ip proto restriction anyway.

If you had HOME_NET more like [,], then
the BPF rendition would look more like

  '(src net or and ip proto tcp and dst port 80'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021016/bdebdd49/attachment.sig>

More information about the Snort-users mailing list