[Snort-users] How to tell spp_portscan2 procesor to ignore ICMP events?

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Tue Sep 23 08:28:05 EDT 2003

Survey says:

preprocessor conversation: allowed_ip_protocols 6 17, <rest of
conversation config>.....

The allowed_ip_protocols part followed by the protocols you want to
watch (separated by spaces).
 1  = ICMP
 6  = TCP
 17 = UDP

-----Original Message-----
From: Jose Vicente Nunez Z [mailto:josevnz at ...7052...] 
Sent: Monday, September 22, 2003 8:04 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] How to tell spp_portscan2 procesor to ignore ICMP


Because of the last Microsoft virus, my snort sensor keeps reporting the
ICMP scans as portscans:

Info:          (spp_portscan2) Portscan detected from 6
targets 6 ports in 0 seconds
Afected:       XX.YY.ZZ.WW
Impact:        1
Time sent:     Monday, September 22, 2003 8:56:26 AM EDT
Severity:      Indeterminate

Checking the snort log files i found this:

09/22-08:56:26.700768  ICMP src: dst: XX.YY.ZZ.AA type: 8
code: 0 tgts: 6 event_id: 0
09/22-08:56:26.703816  ICMP src: dst: XX.YY.ZZ.AB type: 8
code: 0 tgts: 7 event_id: 17330
09/22-08:56:26.718633  ICMP src: dst: XX.YY.ZZ.AC type: 8
code: 0 tgts: 8 event_id: 17330
09/22-08:56:26.720693  ICMP src: dst: XX.YY.ZZ.AD type: 8
code: 0 tgts: 9 event_id: 17330
09/22-08:56:26.734783  ICMP src: dst: XX.YY.ZZ.AE type: 8
code: 0 tgts: 10 event_id: 17330
09/22-08:56:26.746651  ICMP src: dst: XX.YY.ZZ.AF type: 8
code: 0 tgts: 11 event_id: 17330
09/22-08:56:26.766505  ICMP src: dst: XX.YY.ZZ.AG type: 8
code: 0 tgts: 12 event_id: 17330
09/22-08:56:26.789508  ICMP src: dst: XX.YY.ZZ.AN type: 8
code: 0 tgts: 13 event_id: 17330

I have no hope than the victims will ever install and antivirus to fix
the problem and because our network is well protected i just want to
ignore this type of ICMP scans. I checked the parameters for the
spp_portscan plugin, but no idea how to fix the issue.

Before i was getting the "Cyberkit ICMP" alerts, but i took those down

Does anyone else experimented the same problem?

Thanks in advance,

Jose Vicente Nunez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list