[Snort-users] False positives portscan2

bob gunzel bob at ...8894...
Wed Apr 16 01:20:03 EDT 2003


I get many false positives from the portscan2 preprocessor (snort 2, IDS 
mode)
of portscans to our gateways:

[**] [117:1:1] (spp_portscan2) Portscan detected from x.x.x.x: 1 targets 21 
ports in 18 seconds [**]
04/16-08:52:30.841873 x.x.x.x:80 -> 213.53.171.134:1393
TCP TTL:50 TOS:0x0 ID:64658 IpLen:20 DgmLen:44 DF
***A**S* Seq: 0x12B17C7F  Ack: 0x186F99  Win: 0x4470  TcpLen: 24
TCP Options (1) => MSS: 1460

Is there any way to filter them out?

Bob Gunzel



-- 
 




More information about the Snort-users mailing list