[Snort-users] suppress 'open port' on well-known services
rkidder at ...13076...
Wed Feb 23 09:37:17 EST 2005
I'm new to snort and have a question that I can't find an answer to.
I've got a box up and running. I'm now trying to suppress the "normal"
traffic on my network. Two big ones that I see happening are:
* PCs browsing on TCP/80
* Mail servers sending on TCP/25
In these two instances, snort is alerting 122:27 "(portscan) Open Port".
If I suppress 122:27, I could very well also suppress stuff I don't want to
(ie a trojan connecting to an IRC box on tcp/1337).
Can I write suppression statements based not only on gen_id, sig_id, and
src/dst ip, but also include tcp or udp port? Or am I approaching this the
Thanks in advance,
Safelite Glass Corp.
More information about the Snort-users