Snort and PortScan detection

Bredys · Feb 8, 2007, 2:49 PM

Greetings,

im using Snort on OPT interface for blocking P2P traffic.
But i need to disable default portscan detection in snort. –> ( Portscan detected from 192.168.15.131 Talker(fixed: 30 sliding: 16) Scanner(fixed: 0 sliding: 0))

Its possible to disable portscan detection and blocking ips that do portscan?

trendchiller · Feb 8, 2007, 4:22 PM

when you have snort updated to the newest version you can chose which rules to apply and also edit these rules.
so you can apply your own settings…

Bredys · Feb 8, 2007, 8:11 PM

I have selected only P2P rule… nothing else...
But snort still alert portscans and block this IPs.

sullrich · Feb 8, 2007, 9:25 PM

Whitelist the ip…

yoda715 · Feb 8, 2007, 11:58 PM

When you edit the rules you need to restart snort. Currently you can do this from the main snort page by clicking save.

Bredys · Feb 9, 2007, 6:00 AM

When i Whitelist this ip… then i cannot prevent P2P traffic from this IP..
I only need disable this portscan detection.
Snort i a clear instalation on clear pfsense with last snapshot...
I never select rules like "scan" etc.. only p2p.

I read something about snort and i found that this is a buld-in feature that can be disabled or modified in config.
So my question is : it is possible to add a feature for disabling or modifing (not block but only report) portscan detection in webgui ?

sullrich · Feb 9, 2007, 3:19 PM

I am not sure that we can turn it off completely at the moment. Probably need to create a checkbox to allow this.

pgzn · Jul 7, 2007, 6:48 PM

I installed snort and get a ton of false positives on scans. It even blocked my own server monitor which simply GET's http content from a page each two minutes.

Changing these settings from "high" to low in /usr/local/etc/snort/snort.conf fixes most of the false positives:

#sf Portscan
preprocessor sfportscan: proto { all }
scan_type { all }
sense_level { low }
ignore_scanners { $HOME_NET }

To turn it off would probably involve changing "all" to none (just my guess). But it will be overwritten if any snort settings are changed. When editing the file you need to restart snort at Status | Services and double check to make sure it is still set at what it is supposed to be.

Easy to edit with WinSCP on a windows system.

sullrich · Jul 7, 2007, 9:26 PM

Good find. I have commited a change to make low the default.

Reinstall the package 5-10 minutes after this message to pickup the new version.

pgzn · Jul 8, 2007, 7:54 AM

That ends that mystery. I rebooted the firewall at the data center, it updated automatically and when I went in to edit the file it was already set at "low". Was wondering on the way home how that happened :)