[Snort-users] Portscan2 woes

Robin Brown robin_brown at ...6115...
Fri May 2 09:09:50 EDT 2003


I'd like to use it, but I keep getting alerted on what looks like normal
return web traffic:

05/02-08:27:27.107257 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80
dport: 47493 tgts: 1 ports: 11 flags: ***A**S* event_id: 0
05/02-08:27:27.108731 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80
dport: 47494 tgts: 1 ports: 12 flags: ***A**S* event_id: 110167
05/02-08:28:03.059478 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80
dport: 47484 tgts: 1 ports: 11 flags: ***A*R** event_id: 0

I have the snort distribution provided by Demarc as they have their own
set of patches for use with a database:
-*> Snort! <*-
Version 2.0.0-db (Build 72)

Snort.conf settings:
preprocessor conversation: allowed_ip_protocols 1 6 7 50 51 47, timeout
60, max_conversations 32000

preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit
5, port_limit 20, timeout 60

preprocessor portscan2-ignorehosts: 10.10.10.0/24

I also tried to use the alert_odd_protocols in the conversation
preprocessor, but that generated alerts on what appeared to be normal
UDP traffic.

Any hints?


Thanks and regards,
Robin






More information about the Snort-users mailing list