[Snort-users] How to tell spp_portscan2 procesor to ignore ICMP events?
Jose Vicente Nunez Z
josevnz at ...7052...
Mon Sep 22 12:26:10 EDT 2003
Greetings,
Because of the last Microsoft virus, my snort sensor keeps reporting the
ICMP scans as portscans:
Info: (spp_portscan2) Portscan detected from 216.159.9.41: 6
targets 6 ports in 0 seconds
Reference:
Ofender: 216.159.9.41
Afected: XX.YY.ZZ.WW
Impact: 1
Reporter: 192.168.0.251
Time sent: Monday, September 22, 2003 8:56:26 AM EDT
Severity: Indeterminate
Checking the snort log files i found this:
09/22-08:56:26.700768 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AA type: 8
code: 0 tgts: 6 event_id: 0
09/22-08:56:26.703816 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AB type: 8
code: 0 tgts: 7 event_id: 17330
09/22-08:56:26.718633 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AC type: 8
code: 0 tgts: 8 event_id: 17330
09/22-08:56:26.720693 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AD type: 8
code: 0 tgts: 9 event_id: 17330
09/22-08:56:26.734783 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AE type: 8
code: 0 tgts: 10 event_id: 17330
09/22-08:56:26.746651 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AF type: 8
code: 0 tgts: 11 event_id: 17330
09/22-08:56:26.766505 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AG type: 8
code: 0 tgts: 12 event_id: 17330
09/22-08:56:26.789508 ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AN type: 8
code: 0 tgts: 13 event_id: 17330
I have no hope than the victims will ever install and antivirus to fix
the problem and because our network is well protected i just want to
ignore this type of ICMP scans. I checked the parameters for the
spp_portscan plugin, but no idea how to fix the issue.
Before i was getting the "Cyberkit ICMP" alerts, but i took those down
too.
Does anyone else experimented the same problem?
Thanks in advance,
--
Jose Vicente Nunez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator
http://www.newbreak.com
More information about the Snort-users
mailing list