[Snort-users] spp_portscan2 proxy alerts

gr8dane2 at ...163... gr8dane2 at ...163...
Mon Jan 13 12:45:05 EST 2003


If this message gets posted twice, I'm sorry, I accidently sent it from a different address and it got held.  (Ok, I'll drink!)

Hello, I'm trying to eliminate some false alerts and I know this one has been discussed, but I seem to be finding conflicting information and would like to know what your thoughts are.  First, my setup:

Sensor:
Snort 1.9.0 -Win32 binary dled from Snort.org running on a Windows XP system.  It sits between a Novell BorderManager firewall and my Lan.  It is logging the information to a MySql server.  I also have another sensor outside the firewall, but I'm not concerned with that for this problem.

Server:
Windows XP runing MySql 3.23.54 and ACID 0.9.6 b23 on IIS 5.1.

The BorderManager server is setup as a proxy.  Therefore, I am getting the usual spp_portscan2 traffic:
 [snort] (spp_portscan2) Portscan detected from <BorderManager>: 1 targets 21 ports in 41 seconds    

I get about 10 or 12 an hour.  I have found many references to this situation.  I have followed much of the advice, but seem to find myself chasing my tail.  I have configured spp_portscan to ignore hosts and specified my BM, but this had no effect on portscan2.  I have put the same ignore hosts command for the portscan2 as someone had suggested, but that didn't work either.  The only thing I haven't tried yet, was someone suggested downloading his personal code that would allow you to do an ignore ports setting for portscan2.  It involves compiling the software which I am unfamiliar with.  That's why I used the binary on Windows.  Not to mention, I am a little weary about trusting such a situation.  Any help would be greatly appreciated!  Also, thank you all for contributing so much!  The archives have already solved many problems for me.

Dane Howard





More information about the Snort-users mailing list