'Re: [Snort-users] HP Jetdirect Printers and portscans'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] HP Jetdirect Printers and portscans
From:       Joe McAlerney <joey () SiliconDefense ! com>
Date:       2001-06-29 17:12:03
[Download RAW message or body]

Hello Paul,

You could add them to the portscan-ignorehosts list, or raise your
threshold a bit.  10 connections in 20 seconds seems a bit low.  It
seems web browsing to pages with 10 or more banner adds would set that
off as well.

-Joe M.

-- 
|   Joe McAlerney     joey@silicondefense.com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Paul Asadoorian wrote:
> 
> I am logging all my HP JetDirect printers (we have many, like 100's) in
> the portscan module:
> 
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3649 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3650 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3651 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3652 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3653 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3654 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3655 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3656 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3657 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3658 UDP
> Jun 29 11:29:17 MY.NET.51.32:161 -> MY.NET.19.248:3659 UDP
> Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3660 UDP
> Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3661 UDP
> Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3662 UDP
> Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3663 UDP
> Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3665 UDP
> Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3666 UDP
> Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3667 UDP
> Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3668 UDP
> Jun 29 11:29:18 MY.NET.51.32:161 -> MY.NET.19.248:3670 UDP
> Jun 29 11:29:27 MY.NET.51.32:161 -> MY.NET.19.248:3720 UDP
> 
> My portscan settings are as follows:
> 
>    preprocessor portscan: $HOME_NET 10 20 portscan.log
> 
> Any help is greatly appreciated...
> 
> BTW:  MY.NET.51.32 is a Jet Direct Print Server and MY.NET.19.248 is a
> Novell Server
> 
> --
> Paul Asadoorian, GCIA
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic