RE: how to disable spp_porscan?

[Steve Halligan <agent33 () geeksquad com>]

> robe () alfa21 com (Roberto Suarez Soto) writes:
>
> >     So, to say it in another way: how can I *totally* disable
> > spp_portscan? Don't tell me that I just comment it in 
> snort.conf, because
> > that's how it is now and it's still reporting portscans. I 
> can show you my
> > snort.conf if you don't believe me :-)

If you commented spp_portscan in snort.conf, the alerts you are seeing are
NOT coming from it.  More likely they are coming from snort itself, and you
have rules that are designed to trigger on certian types of portscans.
Particularily stealthy type ones. For example these rules from scan.rules
(which is enabled by default):
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F;
reference:arachnids,27; classtype:attempted-recon; sid:621; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN IP Eye SYN Scan";
flags: S; seq: 1958810375; reference:arachnids,236;
classtype:attempted-recon; sid:622; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL";flags:0;
seq:0; ack:0; reference:arachnids,4; classtype:attempted-recon; sid:623;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF;
reference:arachnids,198; classtype:attempted-recon; sid:624; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";flags:SRAFPU;
reference:arachnids,144; classtype:attempted-recon; sid:625; rev:1;)

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users