Snort mailing list archives
Re: portscan2 false positives from web browsing
From: Erek Adams <erek () snort org>
Date: Tue, 19 Aug 2003 14:29:31 -0400 (EDT)
On Mon, 18 Aug 2003, Ricky Charlet wrote:
(I think) If I browse any web site which has banner adds, then the portscan2 preprosessor alarms with someting like: =========cut ========= Aug 18 15:21:05 dsl081-066-008 snort: [117:1:1] (spp_portscan2) Portscan detected from <MY_IP_ADDRESS>: 6 targets 6 ports in 13 seconds {TCP} <MY_IP_ADDRESS>:56541 -> <ADDRESS_OF_BANNER_ADD_SERVER?>:80 =========paste============= This produces a lot of false positive "portscan detected" events in my logs. Is there a way to ignore portscans ORIGINATING from my host AND targeted to port 80?
Portscan2 has ignorehosts and ignore{src,dst}ports directives. Just use that, or use a BPF filter to totally ignore traffic. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? From careers in IT to Engineering to Tech Sales, Dice has tech jobs from the best hiring companies. http://www.dice.com/index.epl?rel_code=104 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- portscan2 false positives from web browsing Ricky Charlet (Aug 19)
- Re: portscan2 false positives from web browsing Matt Kettler (Aug 19)
- Re: portscan2 false positives from web browsing Erek Adams (Aug 19)