[Snort-users] suppress 'open port' on well-known services

Roy Kidder rkidder at ...13076...
Wed Feb 23 09:37:17 EST 2005


 
I'm new to snort and have a question that I can't find an answer to.

I've got a box up and running. I'm now trying to suppress the "normal"
traffic on my network. Two big ones that I see happening are:

* PCs browsing on TCP/80
* Mail servers sending on TCP/25

In these two instances, snort is alerting 122:27 "(portscan) Open Port".

If I suppress 122:27, I could very well also suppress stuff I don't want to
(ie a trojan connecting to an IRC box on tcp/1337).

Can I write suppression statements based not only on gen_id, sig_id, and
src/dst ip, but also include tcp or udp port? Or am I approaching this the
wrong way?

Thanks in advance,
Roy



Roy Kidder
Network Engineer
Safelite Glass Corp.






More information about the Snort-users mailing list