[Snort-users] sfportscan question

Alex Gottschalk agottschalk at ...13723...
Wed Mar 8 14:12:03 EST 2006


Hi All,

I've set up a snort box on the perimeter of an office network, and I'm
getting a lot of what I believe are false alarms from the sfportscan
module.  What I'm interested in being alerted to is:

Internal -> Internal portscans
Internal -> External portscans

However, apparently a lot of systems are apparently causing false 
alarms.  Is there a minimum time between events threshold that I can 
tune, or a way to exclude certain ports?  (80 and 443 come to mind.)  I 
don't want to disable alerts for portsweeps entirely since so many bots 
do in fact use portsweeps to find large numbers of vulnerable hosts.


Here's an example of the kind of false alarm I want to get rid of:

[**] [122:3:0] (portscan) TCP Portsweep [**]
03/08-13:22:40.607407 192.168.XXX.XXX -> 68.142.219.133
RESERVED TTL:0 TOS:0x20 ID:48565 IpLen:20 DgmLen:164 DF

Time: 03/08-13:22:40.627571
event_ref: 192
192.168.XXX.XXX -> 68.142.219.133 (portscan) Open Port
Open Port: 80

I chose this example because I'm 100% sure it's a false alarm - the host 
being "scanned" is part of Yahoo! Music, and I confirmed that the 
end-user had really actually made a connection to that host.

THanks!

--Alex




/----------------------------------------------------------------------\
| Alex Gottschalk <agottschalk at ...13723...>
| LetsTalk, Inc. -- IT Manager/Sysadmin
\----------------------------------------------------------------------/





More information about the Snort-users mailing list