Re: portscan2-ignore... ???

[Michael D Schleif <mds () helices org>]

But, wait, there's more (confusion) . . .

Michael D Schleif <mds () helices org> [2003:08:17:13:41:02-0500] scribed:
> Erek Adams <erek () snort org> [2003:08:17:13:56:25-0400] scribed:
> > On Sat, 16 Aug 2003, Michael D Schleif wrote:
> > [...snip...]
> > > Considering the lack of documentation on this preprocessor, I am
> > > belaboring this point, because I need to understand the intended
> > > behaviour of portscan[2]?
> > [...snip...]
<snip />

> > If you want to drop the host in all parts of snort, you'll need to use a
> > BPF filter.  You could do something like:
> >
> >     snort <options> 'not src host 192.168.123.150'
> >
> > That would ignore all traffic _from_ 192.168.123.150.  You can refine that
> > more and use src/dst ports, but that an exercise for the reader.  :)  For
> > more info on BPF filters, check out the tcpdump man page[0].
>
> That is *not* what I want to do ;>
>
> As I explained in the original post:
>
>    ``What if I want to ignore spp_portscan2 *only* originating from
>    192.168.123.150?  Suppose that I am very interested in any scans where
>    192.168.123.150 is the destination/subject of that scan?''
>
> Now, I have un-configured portscan[1], and have retested:
>
> [1] From 192.168.123.110: nmap -O 192.168.123.150 -- which spews into
> /var/log/snort/portscan2.log, and gives me spp_portscan2 in
> /var/log/snort/alert .
>
> [2] From 192.168.123.150: nmap -O 192.168.123.110 -- which puts
> _nothing_ in /var/log/snort/portscan2.log, and _no_ spp_portscan2 in
> /var/log/snort/alert .
>
> [3] From 192.168.123.150: nmap -O localhost -- which puts _nothing_ in
> /var/log/snort/portscan2.log, and _no_ spp_portscan2 in
> /var/log/snort/alert .
>
> So, I guess my confusion was whether or not *ALL* scans of
> 192.168.123.150, originating somewhere other than 192.168.123.150, would
> result in spp_portscan2 alerts?  Apparently, as I desire, that is the
> case.
>
> Have I missed anything?  If not, case closed and thank you for
> clarification . . .

Although, from [1] above, the scan is confirmed to be logged to
/var/log/snort/alert, it *DOES NOT* make it into my `daily report' ;<

So, I am definitely re-confused.  What is the intended behaviour for the
scenario I describe?  Should, or should _not_, *all* events in
/var/log/snort/alert show up in the `daily report'?

I am missing something, and would appreciate a clue . . .

-- 
Best Regards,

mds
-
Dare to fix things before they break . . .
-
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .
--

Attachment: _bin
Description: