Re: how to disable spp_porscan?

[robe () alfa21 com (Roberto Suarez Soto)]

On Dec/19, Phil Wood wrote:
> Lo and Behold, I had one file (the binary file from -b) show up in the
> /var/log/snort directory.  I did a standard nmap of my system, and no
> portscans.  Then, I enabled portscans in the sonrt.conf file, and restarted
> snort (same way).  Lo and Behold, after running same nmap, I had a portscan
> file.

        Gasp. Running snort 1.8.3, in Linux 2.4.x too? I guess that's a
misconfiguration on my part, then. Or maybe I just built it wrongly, or with
some kind of weird option. Did you build your snort program? With any special
options?

> So, my question still is what is in the include file?  And/or, have you
> found that there is something different in the /etc/snort directory?

        Well, the include file has simply a list of the .rules files to
include. I send it as attach, though I don't think (but I'm open to admit I'm
wrong :-)) that it has anything to do with this case. The file included are
the same downloaded from snort's homepage, with some alerts commented out, but
no other modification.

        The file "local-first" which appears as first line of the file has
several rules to ignore all traffic coming from the host itself, something
like this:

        pass tcp XX.XX.XX.XX any -> $HOME_NET any
        pass udp XX.XX.XX.XX any -> $HOME_NET any
        pass icmp XX.XX.XX.XX any -> $HOME_NET any
        pass ip XX.XX.XX.XX any -> $HOME_NET any

        And this set of rules for each IP, of course. Nothing more.

-- 
Roberto Suarez Soto                                     Alfa21 Outsourcing
    robe () alfa21 com                               http://www.alfa21.com

Attachment: snort.rules.include
Description: