Snort mailing list archives
Re: Portscan madness -- how to tweak
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 07 Jan 2002 00:47:20 -0500
Are they UDP portscans or TCP portscans? Are they coming from your DNS server or elsewhere? What version of Snort are you using? Are the scans from a few IP addresses all the time or from a bunch of different sources? -Marty chi-leung.wong () nokia com wrote:
Hello everyone, Sorry to be a bother, but I've been trying to get this portscan tweaked but it's killing me. Currently my alerts consists of 90% portscans and I can't seem to tweak it through rules or even the portscan-ignorehosts (might as well turn portscan off if using too much addresses). I have my IDS sitting at a traffic point on our router. My EXTERNAL_NET and HOME_NET is set to any since I'm detecting internal intrusions and not external. I'm just getting bombarded. All I can think of now is turn off portscan if everything fails. Anyone has any suggestions? Portscan options now is 7 3. Any help would be very much appreciated. Thank you. Cheers, -Alan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan madness -- how to tweak chi-leung . wong (Jan 06)
- Re: Portscan madness -- how to tweak Martin Roesch (Jan 06)
- <Possible follow-ups>
- RE: Portscan madness -- how to tweak chi-leung . wong (Jan 06)