On 6/3/07, Tim Boyer <tim@xxxxxxxxxxxxxx> wrote:
OK, I've just started using this fine program, and I'm trying to eliminate a
false positive. I'm doing something wrong that I'm sure is obvious, but
after four days of staring at it I need more eyes.
WhatsUp is doing portscans on my internal network, which is a Good Thing.
The logs say
Since these prot scan alerts are from the Snort sfportscan preprocessor, your best option is tune out false positives from your IDS. Tuning at the log analysis layer works, of course, but general rule is to always move your tuning as far upstream as possible.
In this case, modify the "ignore_scanners" option in your snort.conf and tune out known source IP's that are legitimately scanning your network.