Snort mailing list archives
Re: portscan reported from virtual interfaces
From: Dragos Ruiu <dr () kyx net>
Date: Fri, 20 Jul 2001 12:32:05 -0700
On Fri, 20 Jul 2001, Jeffrey Meltzer wrote:
Hi, I'm having a problem where snort is reporting portscans from virtual interfaces on the box where portscan is running (ie, it's reporting that le0:1 is scanning le0). Anybody know how I can tell it to not look for this? It's filling up the logfiles fairly quickly.
Uhm.... the flippant answer is to say "Don't run snort on those interfaces..." But I suspect you are running RedHat's err... funky pcap that funnels all the interfaces into one process.... How about.... disable portscan dection on that main all i/f snort and run a separate snort with only portscan detection enabled on the interfaces you do care to receive protscan info about... or separate it out to run separate discrete configs for each interface explicitly using the interface command line switch... As a first cut at it those are some suggestions... hope this helps or <eliza> maybe you can explain your problem further...</eliza>. cheers, --dr _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan reported from virtual interfaces Jeffrey Meltzer (Jul 20)
- Re: portscan reported from virtual interfaces Dragos Ruiu (Jul 20)