[Snort-users] How to tell spp_portscan2 procesor to ignore ICMP events?

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Tue Sep 23 08:28:05 EDT 2003


Survey says:

preprocessor conversation: allowed_ip_protocols 6 17, <rest of
conversation config>.....

The allowed_ip_protocols part followed by the protocols you want to
watch (separated by spaces).
 1  = ICMP
 6  = TCP
 17 = UDP


-----Original Message-----
From: Jose Vicente Nunez Z [mailto:josevnz at ...7052...] 
Sent: Monday, September 22, 2003 8:04 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] How to tell spp_portscan2 procesor to ignore ICMP
events?


Greetings,

Because of the last Microsoft virus, my snort sensor keeps reporting the
ICMP scans as portscans:

Info:          (spp_portscan2) Portscan detected from 216.159.9.41: 6
targets 6 ports in 0 seconds
Reference:     
Ofender:       216.159.9.41
Afected:       XX.YY.ZZ.WW
Impact:        1
Reporter:      192.168.0.251
Time sent:     Monday, September 22, 2003 8:56:26 AM EDT
Severity:      Indeterminate

Checking the snort log files i found this:

09/22-08:56:26.700768  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AA type: 8
code: 0 tgts: 6 event_id: 0
09/22-08:56:26.703816  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AB type: 8
code: 0 tgts: 7 event_id: 17330
09/22-08:56:26.718633  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AC type: 8
code: 0 tgts: 8 event_id: 17330
09/22-08:56:26.720693  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AD type: 8
code: 0 tgts: 9 event_id: 17330
09/22-08:56:26.734783  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AE type: 8
code: 0 tgts: 10 event_id: 17330
09/22-08:56:26.746651  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AF type: 8
code: 0 tgts: 11 event_id: 17330
09/22-08:56:26.766505  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AG type: 8
code: 0 tgts: 12 event_id: 17330
09/22-08:56:26.789508  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AN type: 8
code: 0 tgts: 13 event_id: 17330


I have no hope than the victims will ever install and antivirus to fix
the problem and because our network is well protected i just want to
ignore this type of ICMP scans. I checked the parameters for the
spp_portscan plugin, but no idea how to fix the issue.

Before i was getting the "Cyberkit ICMP" alerts, but i took those down
too.

Does anyone else experimented the same problem?

Thanks in advance,

-- 
Jose Vicente Nunez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator
http://www.newbreak.com



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list