[Snort-users] spp_portscan2 proxy alerts

gr8dane2 at ...163... gr8dane2 at ...163...
Mon Jan 13 12:45:05 EST 2003

If this message gets posted twice, I'm sorry, I accidently sent it from a different address and it got held.  (Ok, I'll drink!)

Hello, I'm trying to eliminate some false alerts and I know this one has been discussed, but I seem to be finding conflicting information and would like to know what your thoughts are.  First, my setup:

Snort 1.9.0 -Win32 binary dled from Snort.org running on a Windows XP system.  It sits between a Novell BorderManager firewall and my Lan.  It is logging the information to a MySql server.  I also have another sensor outside the firewall, but I'm not concerned with that for this problem.

Windows XP runing MySql 3.23.54 and ACID 0.9.6 b23 on IIS 5.1.

The BorderManager server is setup as a proxy.  Therefore, I am getting the usual spp_portscan2 traffic:
 [snort] (spp_portscan2) Portscan detected from <BorderManager>: 1 targets 21 ports in 41 seconds    

I get about 10 or 12 an hour.  I have found many references to this situation.  I have followed much of the advice, but seem to find myself chasing my tail.  I have configured spp_portscan to ignore hosts and specified my BM, but this had no effect on portscan2.  I have put the same ignore hosts command for the portscan2 as someone had suggested, but that didn't work either.  The only thing I haven't tried yet, was someone suggested downloading his personal code that would allow you to do an ignore ports setting for portscan2.  It involves compiling the software which I am unfamiliar with.  That's why I used the binary on Windows.  Not to mention, I am a little weary about trusting such a situation.  Any help would be greatly appreciated!  Also, thank you all for contributing so much!  The archives have already solved many problems for me.

Dane Howard

More information about the Snort-users mailing list