Hi again! Still got a problem with snort, or my setup or whatever... Following: [**] [100:2:1] spp_portscan: portscan status from 10.0.3.19: 2 connections across 2 hosts: TCP(1), UDP(1) [**] 09/26-22:57:21.842870 [**] [100:2:1] spp_portscan: portscan status from 10.0.3.19: 2 connections across 2 hosts: TCP(1), UDP(1) [**] 09/26-22:58:21.841503 [**] [100:2:1] spp_portscan: portscan status from 10.0.3.19: 2 connections across 2 hosts: TCP(1), UDP(1) [**] 09/26-22:58:26.134428 And this repeats over and over again... I set alert-mode to full, is that the problem? My alert-file has risen to 1.5MB in only 3 days... HELP ME, PLEASE! TIA markus
* Markus Kohli wrote on Wed, Sep 26, 2001 at 23:00 +0200:
Hi again! Still got a problem with snort, or my setup or whatever... Following: [**] [100:2:1] spp_portscan: portscan status from 10.0.3.19: 2 connections across 2 hosts: TCP(1), UDP(1) [**] 09/26-22:57:21.842870
I guess this is correct.
And this repeats over and over again...
Well, I guess the requests came over and over again.
I set alert-mode to full, is that the problem?
Is it a problem?
My alert-file has risen to 1.5MB in only 3 days...
Yes, and what? Do you have a 100MB harddisk only? Or do you need a tool to filter the really important messages out of this "junk"?
HELP ME, PLEASE!
You haven't even described a problem. As I wrote already, try to adapt the portscan triggers if you won't it more tolerant. Please note, that you get portscan status messages, that means snort "detects" a very long scan... Try a trigger of 3 seconds, or better fix the problem: if 10.0.3.19 sends packets at least each 5 seconds, there may be something screwed up. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Markus Kohli
-
Steffen Dettmer