Snort mailing list archives
Re: Yet another spp_portscan2 question
From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Thu, 6 Feb 2003 11:56:06 -0600 (CST)
If you only want portscan2 to activate given a src IP hitting multiple destination hosts (rather than ports), then set the port limit to 65535 or some other huge number. That way, the port limit will (hopefully) never me met, and you will be left looking at someone going 1 IP to many. Hope that helps. On Wed, 5 Feb 2003, Fialkowski, Joe wrote:
Hello List I have a question about spp_portscan2. And I don't think it has been covered on this list. Forgive me if it has. Is there any way to log or alert only when a scan occurs on multiple targets? I keep getting the message below when a user opens up a web page with many images. I have already tried setting the port limit to 60 to alleviate some of the chatter but still get a few hits from this preprocessor. Any ideas are welcome (spp_portscan2) Portscan detected from 192.118.72.15 <http://4dde4/acid_stat_ipaddr.php?ip=192.118.72.15&netmask=32>: 1 targets 61 ports in 32 seconds Thanks in advance, Joe ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Yet another spp_portscan2 question Fialkowski, Joe (Feb 06)
- Re: Yet another spp_portscan2 question Demetri Mouratis (Feb 06)