How to remove this (portscan) TCP Filtered Portsweep rules in Snort



  • Anyone could help, I need to remove this  "(portscan) TCP Filtered Portsweep" rules as it is keep providing a false alert and keep blocking user connect to the network.

    We found it happened after a large files transfer on FTP, or Mac user connect to our network through Pfsense.

    So, if anyone could help.

    Also a suggestion, if JamesDean could help.  May be we can have options to "reject" instead of "block" under Categories / Rules. This way we could avoid a lot of user complians and technical support by reject them on some unusal activites but at least they can still access.  As some of the ip connect to our network has a large amount of users behind it.

    Regards,

    Davc



  • Davc

    Post the alert you want to disable.

    James



  • Dear James,

    In the blocked tab, the alert messages:

    (portscan) TCP Filtered Portsweep

    Also now it takes a very long time to showed all the blocked ip in the Blocked Tab. The CPU is reached 100% and Memory is around 48% still take over 10 minutes to show all the ip.

    I am now on the RC1.6 version

    Regards,

    Davc



  • @Davc:

    Dear James,

    In the blocked tab, the alert messages:

    (portscan) TCP Filtered Portsweep

    Also now it takes a very long time to showed all the blocked ip in the Blocked Tab. The CPU is reached 100% and Memory is around 48% still take over 10 minutes to show all the ip.

    I am now on the RC1.6 version

    Regards,

    Davc

    No Davc, post the full alert with sid info.

    How many ips do you have when have the high cpu issue ?

    James



  • Hi James.

    In the Blocked Tab, it show the following
    Delete 203.194.35.55 (portscan) TCP Filtered Portsweep
    Delete 203.194.48.120 (portscan) TCP Filtered Portsweep
    Delete 203.194.118.24 (portscan) TCP Filtered Portsweep

    In the System Log, it show the following

    Oct 29 20:06:12 snort[53574]: [122:7:0] (portscan) TCP Filtered Portsweep[Priority: 3]: {PROTO:255} 203.194.35.55 -> 203.xxx.xxx.177
    Oct 29 20:06:12 snort[53574]: [122:7:0] (portscan) TCP Filtered Portsweep[Priority: 3]: {PROTO:255} 203.194.35.55 -> 203.xxx.xxx.177

    Around 60 blocked ip it will take a long time to display the blocked ip, sometime it will time out.

    Regards,

    Davc



  • Davc

    Do what you did to suppress the ftp alert you did not want.

    snort[53574]: [[color=red]122:7:0] (portscan) TCP Filtered Portsweep[Priority: 3]

    suppress gen_id 122, sig_id 7

    James



  • Dear James,

    Thankyou, I now understand how it work after a deep google search in the last 2 days and your hints.

    To work out the Gen ID & Sig ID, only if the "Alert Log" still have the IP and description to trace.

    Once again, many thanks for the help.  ;)  Truly appreciated.

    Davc


Log in to reply