[Snort-users] How to tell spp_portscan2 procesor to ignore ICMP events?

Jose Vicente Nunez Z josevnz at ...7052...
Mon Sep 22 12:26:10 EDT 2003


Greetings,

Because of the last Microsoft virus, my snort sensor keeps reporting the
ICMP scans as portscans:

Info:          (spp_portscan2) Portscan detected from 216.159.9.41: 6
targets 6 ports in 0 seconds
Reference:     
Ofender:       216.159.9.41
Afected:       XX.YY.ZZ.WW
Impact:        1
Reporter:      192.168.0.251
Time sent:     Monday, September 22, 2003 8:56:26 AM EDT
Severity:      Indeterminate

Checking the snort log files i found this:

09/22-08:56:26.700768  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AA type: 8
code: 0 tgts: 6 event_id: 0
09/22-08:56:26.703816  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AB type: 8
code: 0 tgts: 7 event_id: 17330
09/22-08:56:26.718633  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AC type: 8
code: 0 tgts: 8 event_id: 17330
09/22-08:56:26.720693  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AD type: 8
code: 0 tgts: 9 event_id: 17330
09/22-08:56:26.734783  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AE type: 8
code: 0 tgts: 10 event_id: 17330
09/22-08:56:26.746651  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AF type: 8
code: 0 tgts: 11 event_id: 17330
09/22-08:56:26.766505  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AG type: 8
code: 0 tgts: 12 event_id: 17330
09/22-08:56:26.789508  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AN type: 8
code: 0 tgts: 13 event_id: 17330


I have no hope than the victims will ever install and antivirus to fix
the problem and because our network is well protected i just want to
ignore this type of ICMP scans. I checked the parameters for the
spp_portscan plugin, but no idea how to fix the issue.

Before i was getting the "Cyberkit ICMP" alerts, but i took those down
too.

Does anyone else experimented the same problem?

Thanks in advance,

-- 
Jose Vicente Nunez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator
http://www.newbreak.com





More information about the Snort-users mailing list