Snort mailing list archives

Previous By Date Next
Previous By Thread Next

portscan false alerts on NFS & ftp

From: Andrew Daviel <andrew () andrew triumf ca>
Date: Sat, 2 Jun 2001 15:49:33 -0700 (PDT)

Is there a way to disable the portscan for NFS data transfers ?

I recently had a slightly embarrassing automatic alert sent to
a collaborating institution by my reporter script, triggered off
a legitimate NFS transfer as below. I have since fixed my script to
ignore source port 2049 but maybe it is/should be ignorable in SNort ?

(I know NFS across the Internet is deprecated, but we've been doing it for
years and it's Gb of non-sensitive data ... too difficult to change
everything...)


Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:719 UDP
Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:721 UDP
Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:723 UDP
Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:725 UDP
Jun  2 01:27:07 x.y.36.33:2049 -> 142.90.a.b:603 UDP
Jun  2 01:27:08 x.y.36.33:2049 -> 142.90.a.b:605 UDP

On a similar vein I sometimes get scan alerts off big ftp data transfers.
I suspect that the snort system is losing some packets if it sees a SYN
only, or maybe the net's congested or something. Difficult to test.
I'd been ignoring scans to unprivileged ports in my script, but maybe
I should ignore source port 20. Again, can one ignore this in Snort ?

May 29 09:43:18 137.138.24.190:20 -> 142.90.100.68:2519 SYN ******S*
May 29 09:43:27 137.138.24.190:20 -> 142.90.100.68:2520 SYN ******S*
May 29 09:43:53 137.138.24.190:20 -> 142.90.100.68:2521 SYN ******S*
May 29 09:44:08 137.138.24.190:20 -> 142.90.100.68:2522 SYN ******S*
May 29 09:44:15 137.138.24.190:20 -> 142.90.100.68:2523 SYN ******S*
May 29 09:44:58 137.138.24.190:20 -> 142.90.100.68:2526 SYN ******S*
May 29 09:46:36 137.138.24.190:20 -> 142.90.100.68:2527 SYN ******S*


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security () triumf ca


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: