Snort - portscan - suppress UDP port

  • Hi

    I'm trying to set up port scanning detection but the portscan preprocessor in Snort detects and blocks legitimate incoming UDP traffic.

    Is there any way to set the portscan detection so it ignores traffic on particular ports please?  I can see that Snort supports port suppression (see - the ignore_scanned directive) but that doesn't seem to be available in the UI.

    Is it possible to configure from the UI or do I have to amend the configuration files manually?


  • Moderator

    There is a PR for this already. Waiting for approval from the Devs…

  • bmeeks8 has merged the above pull request into the devel branch.

  • The ignore_scanned option is now availabe in pfBlockerNG 2.0.17 via the package manager.

    Many thanks to bmeeks8 and all the other devs for their support!

  • Thanks.  The ignore scanned option is now available in the Snort pre-processor page.

    There remains an issue that you can't select UDP in the scan type pull down menu, as it's missing.

    I've fixed that here,  but it's waiting to be merged.

  • @zxvv  Thanks very much for adding the ignore_scanned option.  I'm probably being slow, but I'm having trouble getting it to do what I need.  When I try to add an entry into ignore_scanned in the GUI, Snort fails to start.  I'm sure I'm not getting the syntax quite right.

    Basically, my set up and what I want to do are as follows:

    1)  I have a WAN interface which gets a dynamic IP from my ISP.  Let's call that

    2)  I have a NAT forward set up for a UDP port (let's say 1234) that forwards that port to a LAN address.  Let's call that

    3)  When I connect using the service on UDP port 1234, the port scan preprocessor detects it as a port scanning attempt and blocks the incoming IP.  The portscanning engine is set only to look at UDP traffic. If it helps, that UDP port 1234 is the only UDP port that's fowarded.

    4)  What I want to do is add an entry to ignore_scanned so that it ignores all traffic on UDP 1234 when deciding if it's being scanned.

    What do I type into the ignore_scanned box to achieve this please?

    I've tried various combinations of $HOME_NET, $EXTERNAL_NET,, specifying port 1234 etc (the last entry just trying to catch any address)  but it's either ineffective or Snort doesn't start at all with the following error:

    FATAL ERROR: /usr/local/etc/snort/snort_57232_re0/snort.conf(355) => Invalid ip_list to 'ignore_scanned' option.