Snort mailing list archives
guardian + snort
From: Dariusz Brzeziński <dariusz.brzezinski () implozja kalisz pl>
Date: Sat, 8 Sep 2001 13:21:06 +0200
Hello to all - I'm new here :-) I don't know if someone of you is using snort+guardian, but I'd like to have one question: Why does guardian sees [**] [1:1002:1] <ppp0> WEB-IIS cmd.exe access [**] in snort's alert file and correctly blocks it and DOES NOT see: [**] [100:1:1] <ppp0> spp_portscan: PORTSCAN DETECTED on ppp0 from 212.106.168.62 (THRESHOLD 4 connections exceeded in 0 seco 09/08-03:49:41.593784 [**] [100:2:1] <ppp0> spp_portscan: portscan status from 212.106.168.62: 44 connections across 1 hosts: TCP(44), UDP(0) [**] 09/08-03:49:45.055077 In the end it blocks less important things and does not portscanning. TIA for help -- Best regards, Dariusz mailto:dariusz.brzezinski () implozja kalisz pl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- guardian + snort Dariusz Brzeziński (Sep 08)
- Guardian Overhaul Nick Rogness (Sep 28)
- Re: Guardian Overhaul Nick Rogness (Sep 28)
- <Possible follow-ups>
- RE: guardian + snort Jyri Hovila (Sep 08)
- RE: guardian + snort Matt Bridges (Sep 08)
- Guardian Overhaul Nick Rogness (Sep 28)