[Snort-users] sf_portscan tuning

Turnbough, Bradley E. bturnbough at ...15650...
Mon Oct 29 15:15:40 EDT 2012


Can someone tell me how to filter this out of the portscan.log file?

Time: 10/29-15:10:06.363387
event_ref: 0
11.22.33.44 -> 55.66.77.88 (portscan) TCP Portsweep
Priority Count: 5
Connection Count: 12
IP Count: 19
Scanned IP Range: 9.10.11.12:13.14.15.16
Port/Proto Count: 1
Port/Proto Range: 113:113

I only want to filter out what this thing considers scans from 11.22.33.44 to TCP 113 on any host.  11.22.33.44 is a Proxy server and is querying for TCP 113 because 113 is tied to IDENT (our proxy auth tracking mechanism).


This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121029/e655e6b4/attachment.html>


More information about the Snort-users mailing list