Snort mailing list archives

RE: No clue?

From: John Friedman <jfriedmanx () yahoo com>
Date: Tue, 15 Nov 2005 14:41:42 -0800 (PST)

Thanks for the help.  Now, I comment out 
                         memcap { 10000000 } \
                         sense_level { low } 
and the snort service can be restarted fine but , I
still get these alerts:
************************* 
ID   < Signature >   < Timestamp >   < Source Address

  < Dest. Address >   < Layer 4 Proto >

            #0-(2-11319)        [snort] spp_portscan:
End of portscan from 10.1.10.5: TOTAL time(1s)
hosts(2) TCP(5) UDP(0)        2005-11-15 17:36:36     
  10.1.10.5        unknown        IP     
            #1-(2-11318)        [snort] spp_portscan
from 10.1.10.5: 5 connections across 2 hosts: TCP(5),
UDP(0)        2005-11-15 17:36:19        10.1.10.5    
   unknown        IP     
            #2-(2-11317)        [snort] spp_portscan
detected from 10.1.10.5 (THRESHOLD 4 connections
exceeded in 0 seconds)        2005-11-15 17:36:09     
  10.1.10.5        unknown        IP    
********

Then I use ignore_scanners {i0.1.10.5} and I still get
these alerts too.

No clue why?

Thanks,

John


--- "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote:

Did you comment out the lines following the   
preprocessor sfportscan
line?
                        memcap { 10000000 } \
                        sense_level { low } 


A few lines about    preprocessor sfportscan  is a
description of
ignore_scanners 

Bruce

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On
Behalf Of John
Friedman
Sent: Tuesday, November 15, 2005 2:47 PM
To: snort
Subject: Re: [Snort-users] No clue?

Thank you for your reply.  If I comment out 
# preprocessor sfportscan:
the snort service can not be started.  Also, what's
the syntax to ignore this host from sf portscan?

Thansk for your help,

John

--- Matt Kettler <mkettler () evi-inc com> wrote:

John Friedman wrote:

Hi all,
 
Since I did not get any reply on this, is there

any way to suppress or

pass this alert?


Suggestion: look at the ignorehosts option for
portscan.

Pass definitely will not work. Since pass is a

rule,

it can only work if the
offending traffic is matching a rule.

You might be able to suppress it, but you'd

probably

wind up having to suppress
all portscans...

It's generally best to configure your portscan
plugins properly in the first
place. Actually, if you're monitoring an internal
LAN, you'll probably just want
to turn it off or turn the thresholds way up.




              
__________________________________ 
Start your day with Yahoo! - Make it your home page!

http://www.yahoo.com/r/hs

-------------------------------------------------------

This SF.Net email is sponsored by the JBoss Inc. 
Get Certified Today
Register for a JBoss Training Course.  Free
Certification Exam
for All Training Attendees Through End of 2005. For
more info visit:

http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------

This SF.Net email is sponsored by the JBoss Inc. 
Get Certified Today
Register for a JBoss Training Course.  Free
Certification Exam
for All Training Attendees Through End of 2005. For
more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users




                
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

No clue? John Friedman (Nov 11)
- <Possible follow-ups>
- RE: No clue? John Friedman (Nov 11)
  - RE: No clue? John Friedman (Nov 15)
    - Re: No clue? Matt Kettler (Nov 15)
    - Re: No clue? John Friedman (Nov 15)
- RE: No clue? John Friedman (Nov 15)
- RE: No clue? Briggs, Bruce (Nov 15)
  - RE: No clue? John Friedman (Nov 15)
    - Re: No clue? Joel Esler (Nov 15)
- Re: No clue? John Friedman (Nov 15)
- Re: No clue? Joel Esler (Nov 15)
  - Re: No clue? John Friedman (Nov 16)
- Re: No clue? John Friedman (Nov 16)
  - Re: No clue? Eric Maheo (Nov 16)
    - Re: No clue? John Friedman (Nov 16)