[Snort-users] Help with noisy alerts for known application

Daniel Shepherd shepdelacreme at ...11827...
Fri Apr 8 15:04:17 EDT 2011


That is an alert generated by the portscan preprocessor. Check out the
README.sfportscan doc for details on tuning the preprocessor but it
looks like you could use the

* ignore_scanned { <ip1|ip2/cidr[ [port1|port2-port3]]> }

parameter to tune out incoming scans to specific hosts/ports.

Here is a link to the doc online.

http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/doc/README.sfportscan?rev=HEAD&content-type=text/plain


On Fri, Apr 8, 2011 at 2:26 PM, Geoff Sweet <geoff.sweet at ...15218...> wrote:
> When we first implemented Snort we found that we were generating tons of
> alerts from our games. That was to be expected and so we started digging in
> to try to quiet down the alerts.  The very first thing that we trimmed was
> the “COMMUNITY SIP TCP/IP message flooding directed to SIP proxy” alert that
> was thrown for basically every single connection to our game.  A bit of
> reading in the old snort forum said that getting rid of that rule was ok so
> I commented it out of the rule file.  So after a bit of reading online I
> came up with two rule files that describe our two primary games, and from
> the reading set them to “pass” so that Snort would recognize the traffic and
> quietly pass it.  The rules look like this:
>
>
>
> /etc/snort/rules$ cat wemade-mir3.rules
>
> pass tcp $EXTERNAL_NET any -> any 7000 (msg:"MIR3 Application";)
>
> pass udp $EXTERNAL_NET any -> any 7000 (msg:"MIR3 Application";)
>
> pass tcp $EXTERNAL_NET any -> any 7100 (msg:"MIR3 Application";)
>
> pass udp $EXTERNAL_NET any -> any 7100 (msg:"MIR3 Application";)
>
> pass tcp $EXTERNAL_NET any -> any 7101 (msg:"MIR3 Application";)
>
> pass udp $EXTERNAL_NET any -> any 7101 (msg:"MIR3 Application";)
>
> pass tcp $EXTERNAL_NET any -> any 7200 (msg:"MIR3 Application";)
>
> pass tcp $EXTERNAL_NET any -> any 7201 (msg:"MIR3 Application";)
>
> pass tcp $EXTERNAL_NET any -> any 7202 (msg:"MIR3 Application";)
>
> pass tcp $EXTERNAL_NET any -> any 7203 (msg:"MIR3 Application";)
>
> pass tcp $EXTERNAL_NET any -> any 7204 (msg:"MIR3 Application";)
>
> pass tcp $EXTERNAL_NET any -> any 7205 (msg:"MIR3 Application";)
>
> pass udp $EXTERNAL_NET any -> any 7200 (msg:"MIR3 Application";)
>
> pass udp $EXTERNAL_NET any -> any 7201 (msg:"MIR3 Application";)
>
> pass udp $EXTERNAL_NET any -> any 7202 (msg:"MIR3 Application";)
>
> pass udp $EXTERNAL_NET any -> any 7203 (msg:"MIR3 Application";)
>
> pass udp $EXTERNAL_NET any -> any 7204 (msg:"MIR3 Application";)
>
> pass udp $EXTERNAL_NET any -> any 7205 (msg:"MIR3 Application";)
>
>
>
> /etc/snort/rules$ cat joymax-silkroads.rules
>
> pass tcp $EXTERNAL_NET any -> any 15779 (msg:"Silkroads Online";)
>
> pass tcp $EXTERNAL_NET any -> any 12989 (msg:"Silkroads Online";)
>
> pass tcp $EXTERNAL_NET any -> any 15021 (msg:"Silkroads Online";)
>
> pass tcp $EXTERNAL_NET any -> any 15020 (msg:"Silkroads Online";)
>
>
>
> The problem at this point is that every connection to the games generates a
> portscan alert.  I have over 220K of them in a 12 hour period.  I was under
> the assumption from the documentation that by creating this rule with the
> specific ports listed and the action as “pass” that snort wouldn’t raise an
> alert.  Am I doing something wrong with this rule?  All the alerts are
> marked with the signature “(portscan) Open Port: [whatever game port from
> above]” and links to http://www.snortid.com/snortid.asp?QueryId=122-27
>
>
>
> Any help would be greatly appreciated.
>
>
>
> -Geoff
>
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list