[Snort-users] spp_portscan2 proxy alerts

Dane Howard Gr8Dane2 at ...163...
Mon Jan 13 15:31:02 EST 2003


Ok, someone answered my question and I deleted it before responding.  I
did try the ssp_portscan2-ignore hosts.  But, at the time I tested it I
was using IDScenter.  I quit using IDScenter due to a problem it has
with the Stream4 (it doesn't disable the evasive scan alert).  So, I
went back and tested the ignore again and, sure enough, it works when
not using IDScenter.  So, beware, if you are using IDScenter and have
problems with either of these scans, that is probably your problem.  I
have posted a comment on their website in regards to it.  And don't get
me wrong, I'm not doggin IDScenter.  Otherwise it is a great program
worth a look if your not using it now.  Not to mention, it does a good
job of the all-elusive automatic emailing of alerts!  Thanks for your
response.  

Thanks again,
Dane

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
gr8dane2 at ...163...
Sent: Monday, January 13, 2003 3:42 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] spp_portscan2 proxy alerts

If this message gets posted twice, I'm sorry, I accidently sent it from
a different address and it got held.  (Ok, I'll drink!)

Hello, I'm trying to eliminate some false alerts and I know this one has
been discussed, but I seem to be finding conflicting information and
would like to know what your thoughts are.  First, my setup:

Sensor:
Snort 1.9.0 -Win32 binary dled from Snort.org running on a Windows XP
system.  It sits between a Novell BorderManager firewall and my Lan.  It
is logging the information to a MySql server.  I also have another
sensor outside the firewall, but I'm not concerned with that for this
problem.

Server:
Windows XP runing MySql 3.23.54 and ACID 0.9.6 b23 on IIS 5.1.

The BorderManager server is setup as a proxy.  Therefore, I am getting
the usual spp_portscan2 traffic:
 [snort] (spp_portscan2) Portscan detected from <BorderManager>: 1
targets 21 ports in 41 seconds    

I get about 10 or 12 an hour.  I have found many references to this
situation.  I have followed much of the advice, but seem to find myself
chasing my tail.  I have configured spp_portscan to ignore hosts and
specified my BM, but this had no effect on portscan2.  I have put the
same ignore hosts command for the portscan2 as someone had suggested,
but that didn't work either.  The only thing I haven't tried yet, was
someone suggested downloading his personal code that would allow you to
do an ignore ports setting for portscan2.  It involves compiling the
software which I am unfamiliar with.  That's why I used the binary on
Windows.  Not to mention, I am a little weary about trusting such a
situation.  Any help would be greatly appreciated!  Also, thank you all
for contributing so much!  The archives have already solved many
problems for me.

Dane Howard



-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list