Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Mark on April 06, 2003, 11:59:50 PM

Title: Removing spp_portscan alerts
Post by: Mark on April 06, 2003, 11:59:50 PM

Running SME 5.1.2 with ari-mitel-acid 2.0, snort and guardian.  The problem I am having is with spp_portscan2 alerts.  Seems like every major financial institution uses them.  When I try an log in to make an online payment an alert is triggered and the site is blocked.  Installing an entry in gardian.conf is very tiedious.  How do I turn off snort from detecting this alert?

TIA

Title: Re: Removing spp_portscan alerts
Post by: edim on April 08, 2003, 09:32:17 PM

Edit file /etc/snort/snort.conf

Place "#" in the beginning of the line "include $RULE_PATH/scan.rules"
and restart server


include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
# include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
# include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
# include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
# include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules

#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------