Hi All,
I've set up a snort box on the perimeter of an office network, and I'm
getting a lot of what I believe are false alarms from the sfportscan
module. What I'm interested in being alerted to is:
Internal -> Internal portscans
Internal -> External portscans
However, apparently a lot of systems are apparently causing false
alarms. Is there a minimum time between events threshold that I can
tune, or a way to exclude certain ports? (80 and 443 come to mind.) I
don't want to disable alerts for portsweeps entirely since so many bots
do in fact use portsweeps to find large numbers of vulnerable hosts.
Here's an example of the kind of false alarm I want to get rid of:
[**] [122:3:0] (portscan) TCP Portsweep [**]
03/08-13:22:40.607407 192.168.XXX.XXX -> 68.142.219.133
RESERVED TTL:0 TOS:0x20 ID:48565 IpLen:20 DgmLen:164 DF
Time: 03/08-13:22:40.627571
event_ref: 192
192.168.XXX.XXX -> 68.142.219.133 (portscan) Open Port
Open Port: 80
I chose this example because I'm 100% sure it's a false alarm - the host
being "scanned" is part of Yahoo! Music, and I confirmed that the
end-user had really actually made a connection to that host.
THanks!
--Alex
/----------------------------------------------------------------------\
| Alex Gottschalk <agottschalk@letstalk.com>
| LetsTalk, Inc. -- IT Manager/Sysadmin
\----------------------------------------------------------------------/
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
