[Snort-users] Portscan preprocessor and false positives
bet at ...6163...
Wed Oct 16 08:50:05 EDT 2002
2002-10-16-09:39:09 Ben Keepper:
> I must be missing it, because I thought I mentioned in my original post
> that I didn't want to use portscan-ignore hosts.
Ok, I can see that; presumably this would be because you still want
to see non-port-80 portscans for these hosts.
> Since it is a preprocessor, a pass rule won't work either, right?
> Now, I haven't played with the BPF filters. Based on the example on
> your web page, it kind of looks like it might work, except that it is a
> preprocessor generating the alerts, so I am not sure.
BPF will indeed work here; while pass rules don't get handled before
preprocessors, BPF does: it's logically down below the network read
process, it's front-end filtering. The stream of packets fed up to
snort, for consideration by preprocessors and pass/alert/log rules
in whatever order, is first filtered by your BPF expression if any.
> Since apparently I didn't get my point across earlier, what I am trying
> to do is get the portscan preprocessor to ignore port 80, even better if
> I can only ignore port 80 if the source is HOME_NET.
Let us suppose your HOME_NET is 192.168.0.0/24; then the BPF should
I believe be something like
src net 192.168.0.0/24 and ip proto tcp and dst port 80
The second and third clauses could be collapsed to "dst port http",
except that at least my /etc/services has both 80/tcp and 80/udp for
http, so you need the ip proto restriction anyway.
If you had HOME_NET more like [10.1.1.0/24,192.168.1.0/24], then
the BPF rendition would look more like
'(src net 10.1.1.0/24 or 192.168.1.0/24) and ip proto tcp and dst port 80'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users