[Snort-users] How to tell spp_portscan2 procesor to ignore ICMP events?

Jose Vicente Nunez Z josevnz at ...7052...
Wed Sep 24 05:58:02 EDT 2003


Looks like this is what i was looking for!. Thanks a lot.

JV.

On Tue, 2003-09-23 at 11:23, Kreimendahl, Chad J wrote:
> Survey says:
> 
> preprocessor conversation: allowed_ip_protocols 6 17, <rest of
> conversation config>.....
> 
> The allowed_ip_protocols part followed by the protocols you want to
> watch (separated by spaces).
>  1  = ICMP
>  6  = TCP
>  17 = UDP
> 
> 
> -----Original Message-----
> From: Jose Vicente Nunez Z [mailto:josevnz at ...7052...] 
> Sent: Monday, September 22, 2003 8:04 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] How to tell spp_portscan2 procesor to ignore ICMP
> events?
> 
> 
> Greetings,
> 
> Because of the last Microsoft virus, my snort sensor keeps reporting the
> ICMP scans as portscans:
> 
> Info:          (spp_portscan2) Portscan detected from 216.159.9.41: 6
> targets 6 ports in 0 seconds
> Reference:     
> Ofender:       216.159.9.41
> Afected:       XX.YY.ZZ.WW
> Impact:        1
> Reporter:      192.168.0.251
> Time sent:     Monday, September 22, 2003 8:56:26 AM EDT
> Severity:      Indeterminate
> 
> Checking the snort log files i found this:
> 
> 09/22-08:56:26.700768  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AA type: 8
> code: 0 tgts: 6 event_id: 0
> 09/22-08:56:26.703816  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AB type: 8
> code: 0 tgts: 7 event_id: 17330
> 09/22-08:56:26.718633  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AC type: 8
> code: 0 tgts: 8 event_id: 17330
> 09/22-08:56:26.720693  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AD type: 8
> code: 0 tgts: 9 event_id: 17330
> 09/22-08:56:26.734783  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AE type: 8
> code: 0 tgts: 10 event_id: 17330
> 09/22-08:56:26.746651  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AF type: 8
> code: 0 tgts: 11 event_id: 17330
> 09/22-08:56:26.766505  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AG type: 8
> code: 0 tgts: 12 event_id: 17330
> 09/22-08:56:26.789508  ICMP src: 216.159.9.41 dst: XX.YY.ZZ.AN type: 8
> code: 0 tgts: 13 event_id: 17330
> 
> 
> I have no hope than the victims will ever install and antivirus to fix
> the problem and because our network is well protected i just want to
> ignore this type of ICMP scans. I checked the parameters for the
> spp_portscan plugin, but no idea how to fix the issue.
> 
> Before i was getting the "Cyberkit ICMP" alerts, but i took those down
> too.
> 
> Does anyone else experimented the same problem?
> 
> Thanks in advance,
-- 
Jose Vicente Nunez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator
http://www.newbreak.com





More information about the Snort-users mailing list