FW: [Snort-users] Portscan2 woes

Gavin Lowe gavin at ...9089...
Fri May 2 10:41:18 EDT 2003


Robin,

I found the answer to that in the archive yesterday.  Was having the
same problem on my Win2000 box.

Add these params to your config file:

preprocessor portscan2-ignorehosts: $DNS_SERVERS
preprocessor portscan2-ignoreports-to: 80 53
preprocessor portscan2-ignoreports-from: 80


Gavin Lowe
Programmer / Network Administrator
glowe at ...9089...


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Robin
Brown
Sent: Friday, May 02, 2003 10:04 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Portscan2 woes

I'd like to use it, but I keep getting alerted on what looks like normal
return web traffic:

05/02-08:27:27.107257 TCP src: 64.28.64.81 dst: 10.10.10.1 sport: 80
dport: 47493 tgts: 1 ports: 11 flags: ***A**S* event_id: 0











More information about the Snort-users mailing list