portscan2

["Fred McFeeters" <nfolink () hotmail com>]

Hello every one.

   I'm pretty new to snort; I have it up and running on two machines one on
the firewall, and one inside the firewall. Its up and running great my
problem is that every time any of the pc's inside the firewall or the
firewall it's self for that matter connect to a web site it detects that as
a port scan; thus filling up my log's with unneeded logs.

So I have issued the preprocessor protscan2-ignorehost: and that seems to be
working but I was wanting to know if there where a different solution. I
have even tried raising the target count to 7 targets or 7 ports but I'm
still getting a few false positives; not as mean though. The reason I'm not
wanting to ignore the host on the inside of the wall is, that if by some
chance the computer is compromised I would like to be able to see if there
is or was a real port scan coming form my network. Are there any other
options out there?

 

P.S I haven't upgraded because of issues with the firewall Mandrake MNF 8.2,
but if it's the only option it can be done

 

 

Thanks for your time 

 

Fred McFeeters