• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort and PortScan detection

Scheduled Pinned Locked Moved pfSense Packages
10 Posts 5 Posters 12.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    Bredys
    last edited by Feb 8, 2007, 2:49 PM

    Greetings,

    im using Snort on OPT interface for blocking P2P traffic.
    But i need to disable default portscan detection in snort. –> ( Portscan detected from 192.168.15.131 Talker(fixed: 30 sliding: 16) Scanner(fixed: 0 sliding: 0))

    Its possible to disable portscan detection and blocking ips that do portscan?

    1 Reply Last reply Reply Quote 0
    • T
      trendchiller
      last edited by Feb 8, 2007, 4:22 PM

      when you have snort updated to the newest version you can chose which rules to apply and also edit these rules.
      so you can apply your own settings…

      1 Reply Last reply Reply Quote 0
      • B
        Bredys
        last edited by Feb 8, 2007, 8:11 PM

        I have selected only P2P rule… nothing else...
        But snort still alert portscans and block this IPs.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by Feb 8, 2007, 9:25 PM

          Whitelist the ip…

          1 Reply Last reply Reply Quote 0
          • Y
            yoda715
            last edited by Feb 8, 2007, 11:58 PM

            When you edit the rules you need to restart snort. Currently you can do this from the main snort page by clicking save.

            1 Reply Last reply Reply Quote 0
            • B
              Bredys
              last edited by Feb 9, 2007, 6:00 AM Feb 9, 2007, 5:58 AM

              When i Whitelist this ip… then i cannot prevent P2P traffic from this IP..
              I only need disable this portscan detection.
              Snort i a clear instalation on clear pfsense with last snapshot...
              I never select rules like "scan" etc.. only p2p.

              I read something about snort and i found that this is a buld-in feature that can be disabled or modified in config.
              So my question is : it is possible to add a feature for disabling or modifing (not block but only report) portscan detection in webgui ?

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by Feb 9, 2007, 3:19 PM

                I am not sure that we can turn it off completely at the moment.  Probably need to create a checkbox to allow this.

                1 Reply Last reply Reply Quote 0
                • P
                  pgzn
                  last edited by Jul 7, 2007, 6:48 PM

                  I installed snort and get a ton of false positives on scans. It even blocked my own server monitor which simply GET's http content from a page each two minutes.

                  Changing these settings from "high" to low in /usr/local/etc/snort/snort.conf fixes most of the false positives:

                  #sf Portscan
                  preprocessor sfportscan: proto { all }
                  scan_type { all }
                  sense_level { low }
                  ignore_scanners { $HOME_NET }

                  To turn it off would probably involve changing "all" to none (just my guess). But it will be overwritten if any snort settings are changed. When editing the file you need to restart snort at Status | Services and double check to make sure it is still set at what it is supposed to be.

                  Easy to edit with WinSCP on a windows system.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by Jul 7, 2007, 9:26 PM

                    Good find.  I have commited a change to make low the default.

                    Reinstall the package 5-10 minutes after this message to pickup the new version.

                    1 Reply Last reply Reply Quote 0
                    • P
                      pgzn
                      last edited by Jul 8, 2007, 7:54 AM

                      That ends that mystery. I rebooted the firewall at the data center, it updated automatically and when I went in to edit the file it was already set at "low". Was wondering on the way home how that happened :)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received