[Snort-users] How to tell spp_portscan2 procesor to ignore ICMP events?

Jose Vicente Nunez Z josevnz at ...7052...
Mon Sep 22 12:26:10 EDT 2003


Because of the last Microsoft virus, my snort sensor keeps reporting the
ICMP scans as portscans:

Info:          (spp_portscan2) Portscan detected from 6
targets 6 ports in 0 seconds
Afected:       XX.YY.ZZ.WW
Impact:        1
Time sent:     Monday, September 22, 2003 8:56:26 AM EDT
Severity:      Indeterminate

Checking the snort log files i found this:

09/22-08:56:26.700768  ICMP src: dst: XX.YY.ZZ.AA type: 8
code: 0 tgts: 6 event_id: 0
09/22-08:56:26.703816  ICMP src: dst: XX.YY.ZZ.AB type: 8
code: 0 tgts: 7 event_id: 17330
09/22-08:56:26.718633  ICMP src: dst: XX.YY.ZZ.AC type: 8
code: 0 tgts: 8 event_id: 17330
09/22-08:56:26.720693  ICMP src: dst: XX.YY.ZZ.AD type: 8
code: 0 tgts: 9 event_id: 17330
09/22-08:56:26.734783  ICMP src: dst: XX.YY.ZZ.AE type: 8
code: 0 tgts: 10 event_id: 17330
09/22-08:56:26.746651  ICMP src: dst: XX.YY.ZZ.AF type: 8
code: 0 tgts: 11 event_id: 17330
09/22-08:56:26.766505  ICMP src: dst: XX.YY.ZZ.AG type: 8
code: 0 tgts: 12 event_id: 17330
09/22-08:56:26.789508  ICMP src: dst: XX.YY.ZZ.AN type: 8
code: 0 tgts: 13 event_id: 17330

I have no hope than the victims will ever install and antivirus to fix
the problem and because our network is well protected i just want to
ignore this type of ICMP scans. I checked the parameters for the
spp_portscan plugin, but no idea how to fix the issue.

Before i was getting the "Cyberkit ICMP" alerts, but i took those down

Does anyone else experimented the same problem?

Thanks in advance,

Jose Vicente Nunez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator

More information about the Snort-users mailing list