Re: sfPortscan - false positive

[Y M <snort () outlook com>]

What are the configurations you have?
Have you configured the sensitivity level? Obviously you can ignore those scan sources that you feel shouldn't be 
showing up. I'm not sure what FPs you are seeing or how you are configured.

You can also check thresholding and suppression for the sid/gid.

YM

Sent from Mobile

_____________________________
From: Izik Birka <izik.birka () hot net il<mailto:izik.birka () hot net il>>
Sent: Sunday, February 21, 2016 6:15 PM
Subject: RE: [Snort-users] sfPortscan - false positive
To: Y M <snort () outlook com<mailto:snort () outlook com>>
Cc: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>


Yes I know , but still it's not enough , I still getting a lot of false positive ,
This is the only options I have ?

Thanks
izik

From: Y M [mailto:snort () outlook com]
Sent: Sunday, February 21, 2016 4:33 PM
To: Izik Birka <Izik.Birka () hot net il<mailto:Izik.Birka () hot net il>>
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: RE: [Snort-users] sfPortscan - false positive

If you review the sfportscan configurations here: http://manual.snort.org/node79.html, you can specify the scan type 
and the scan sensitivity, watch, and ignore. Portsweep is different than port scan, is just an example.

YM

Sent from Mobile



On Sun, Feb 21, 2016 at 6:28 AM -0800, "Izik Birka" <Izik.Birka () hot net il<mailto:Izik.Birka () hot net il>> wrote:
How this data can help me ? if I can't change the ratio
I continue to get false positive alerts

Is there any way to configure the number of scanning attempt and the time period for alert to show ?

In the past the command was bit different and I was able to configure it

Example :
Preprocessor portscan: 192.168.1.0/24 10 60
10 is the number of scanning attempt
60 is time period

Thanks
Izik Birka



From: Y M [mailto:snort () outlook com]
Sent: Sunday, February 21, 2016 4:20 PM
To: Izik Birka <Izik.Birka () hot net il<mailto:Izik.Birka () hot net il>>
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] sfPortscan - false positive

I believe they refer to the data generated by the preprocessor. Review the distribution of the data points mentioned. I 
am not on a computer to verify.

YM

Sent from Mobile


On Sun, Feb 21, 2016 at 3:20 AM -0800, "Izik Birka" <Izik.Birka () hot net il<mailto:Izik.Birka () hot net il>> wrote:
Hi
I'm trying to tune PortScan false Positive I found this explanation in snort site

Make use of the Priority Count, Connection Count, IP Count, Port Count, IP range, and Port range to determine false 
positives.

But I didn't understand where I can change those values ,

Who knows ?

Thanks
Izik Birka

This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, 
confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you 
are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. 
If you have received this communication by error, notify the sender immediately and delete this message immediately. 
Thank you.

This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, 
confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you 
are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. 
If you have received this communication by error, notify the sender immediately and delete this message immediately. 
Thank you.

This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, 
confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you 
are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. 
If you have received this communication by error, notify the sender immediately and delete this message immediately. 
Thank you.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!