Snort mailing list archives
Re: Portscan2, where port !=X
From: Matt Kettler <mkettler () evi-inc com>
Date: Sun, 31 Aug 2003 11:26:04 -0400
At 09:55 PM 8/30/2003 -0500, Jade E. Deane wrote:
Is it possible to ignore a scan using portscan2, where the source port is X? Example: 07/06/03-17:55:19.708517 TCP src: 168.103.115.138 dst: 10.0.47.3 sport: 443 dport: 49399 tgts: 1 ports: 60 flags: ***A**S* event_id: 108 07/06/03-17:55:20.136362 TCP src: 168.103.115.138 dst: 10.0.47.3 sport: 443 dport: 39705 tgts: 1 ports: 61 flags: ***A**S* event_id: 108 07/06/03-17:55:20.268826 TCP src: 168.103.115.138 dst: 10.0.47.3 sport: 443 dport: 49401 tgts: 1 ports: 62 flags: ***A**S* event_id: 108
Of note, are you running snort on low-end hardware?This is the kind of false positive "syn ack" scan i was seeing when I ran snort on a p-166 with portscan2 enabled. It was dropping so many packets that it missed the initial syn, so it declared the syn-ack a scan.
Once I disabled portscan2 and conversation the packet drop rate fell back to a normal level. I did loose portscan2's functionality, but at least snort was no longer dropping 5-10% of the packets coming in so that the normal rules would at least work.
Check your packet drop rates. If they are high, disable portscan2 and conversation or upgrade your hardware.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan2, where port !=X Jade E. Deane (Aug 30)
- Re: Portscan2, where port !=X Matt Kettler (Aug 31)
- Re: Portscan2, where port !=X Jade E. Deane (Aug 31)
- Re: Portscan2, where port !=X Matt Kettler (Aug 31)
- Re: Portscan2, where port !=X Jade E. Deane (Aug 31)
- Re: Portscan2, where port !=X Matt Kettler (Aug 31)