'[Snort-users] sf_portscan tuning'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    [Snort-users] sf_portscan tuning
From:       "Turnbough, Bradley E." <bturnbough () belcan ! com>
Date:       2012-10-29 19:15:40
Message-ID: 61D8E141C1A91B4587677D181DFF28ED47EFD7E7 () AWHMBX01 ! belcan ! com
[Download RAW message or body]

Can someone tell me how to filter this out of the portscan.log file?

Time: 10/29-15:10:06.363387
event_ref: 0
11.22.33.44 -> 55.66.77.88 (portscan) TCP Portsweep
Priority Count: 5
Connection Count: 12
IP Count: 19
Scanned IP Range: 9.10.11.12:13.14.15.16
Port/Proto Count: 1
Port/Proto Range: 113:113

I only want to filter out what this thing considers scans from 11.22.33.44 =
to TCP 113 on any host.  11.22.33.44 is a Proxy server and is querying for =
TCP 113 because 113 is tied to IDENT (our proxy auth tracking mechanism).


This e-mail transmission contains information that is confidential and may =
be privileged. It is intended only for the addressee(s) named above. If you=
 receive this e-mail in error, please do not read, copy or disseminate it i=
n any manner. If you are not the intended recipient, any disclosure, copyin=
g, distribution or use of the contents of this information is prohibited. P=
lease reply to the message immediately by informing the sender that the mes=
sage was misdirected. After replying, please erase it from your computer sy=
stem. Your assistance in correcting this error is appreciated.

[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style>
<!--
@font-face
	{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline}
span.EmailStyle17
	{font-family:"Calibri","sans-serif";
	color:windowtext}
.MsoChpDefault
	{font-family:"Calibri","sans-serif"}
@page WordSection1
	{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
	{}
-->
</style>
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Can someone tell me how to filter this out of the portscan.log \
file?</p> <p class="MsoNormal">&nbsp;</p>
<p class="MsoNormal">Time: 10/29-15:10:06.363387</p>
<p class="MsoNormal">event_ref: 0</p>
<p class="MsoNormal">11.22.33.44 -&gt; 55.66.77.88 (portscan) TCP Portsweep</p>
<p class="MsoNormal">Priority Count: 5</p>
<p class="MsoNormal">Connection Count: 12</p>
<p class="MsoNormal">IP Count: 19</p>
<p class="MsoNormal">Scanned IP Range: 9.10.11.12:13.14.15.16</p>
<p class="MsoNormal">Port/Proto Count: 1</p>
<p class="MsoNormal">Port/Proto Range: 113:113</p>
<p class="MsoNormal">&nbsp;</p>
<p class="MsoNormal">I only want to filter out what this thing considers scans from \
11.22.33.44 to TCP 113 on any host.&nbsp; 11.22.33.44 is a Proxy server and is \
querying for TCP 113 because 113 is tied to IDENT (our proxy auth tracking \
mechanism).</p> <p class="MsoNormal">&nbsp;</p>
<p class="MsoNormal">&nbsp;</p>
</div>
This e-mail transmission contains information that is confidential and may be \
privileged. It is intended only for the addressee(s) named above. If you receive this \
e-mail in error, please do not read, copy or disseminate it in any manner. If you are \
not the  intended recipient, any disclosure, copying, distribution or use of the \
contents of this information is prohibited. Please reply to the message immediately \
by informing the sender that the message was misdirected. After replying, please \
erase it from your  computer system. Your assistance in correcting this error is \
appreciated. </body>
</html>


[Attachment #4 (--===============4764407566992158481==)]
------------------------------------------------------------------------------
The Windows 8 Center - In partnership with Sourceforge
Your idea - your app - 30 days.
Get started!
http://windows8center.sourceforge.net/
what-html-developers-need-to-know-about-coding-windows-8-metro-style-apps/

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic