Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: preprocessor portscan2-ignorehosts + "WEBTRAFFIC"

From: rellington () assesstech com (Ray Ellington)
Date: Fri, 14 Mar 2003 16:39:55 -0500
Try this:
preprocessor portscan2-ignorehosts: $DNS_SERVERS $eth0_ADDRESS

Notice the removal of the comma.

-Ray

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of mike Hughes
Sent: Friday, March 14, 2003 4:03 PM
To: bkarnold () cbu edu; snort-users () lists sourceforge net
Subject: [Snort-users] preprocessor portscan2-ignorehosts + "WEBTRAFFIC"


Hello,

I am trying to cut back on my flase alrams i receive. I get a lot of "web
traffic" like this in my ACID CONSOLE alerts, after i visit sites like
www.MSN.com, etc. I want to try to stop all these alerts soo
(192.173.60.183 -BEING my IPADDRESS- eth0_ADDRESS)
########################################################################
          #0-(2-1295)        [snort] (spp_portscan2) Portscan detected from
192.173.60.183: 6 targets 6 ports in 1186 seconds        2003-03-14 13:08:16
        192.173.60.183:53        208.38.45.164:53        UDP
           #1-(2-1294)        [snort] (spp_portscan2) Portscan detected from
208.38.45.177: 1 targets 21 ports in 16 seconds        2003-03-14 12:46:09
      208.38.45.177:80        192.173.60.183:3172        TCP
           #2-(2-1293)        [snort] (spp_portscan2) Portscan detected from
192.173.60.183: 6 targets 6 ports in 13 seconds        2003-03-14 12:45:53
      192.173.60.183:53        12.47.217.11:53        UDP
           #3-(2-1292)        [snort] (spp_portscan2) Portscan detected from
64.4.8.24: 1 targets 21 ports in 3 seconds        2003-03-14 12:44:33
64.4.8.24:80        192.173.60.183:3121        TCP
########################################################################
So i have "preprocessor portscan2" enables and i added a few things to
"preprocessor portscan2-ignorehosts" but they both come back with ERRORS
when i start "SNORTD" here is this 2 things that i tryed to add:

preprocessor portscan2-ignorehosts: $DNS_SERVERS, $eth0_ADDRESS
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5,
port_limit 20, timeout 60
AND:
preprocessor portscan2-ignorehosts: [$DNS_SERVERS, $eth0_ADDRESS]

Any idea on how to wirte this line properly and or another way to stop all
these ALERTS i get. Thanks

Mike





_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open!
Get cracking and register here for some mind boggling fun and
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: