Re: Flow-portscan oddity

[Chris Green <cmg () uab edu>]

"Douglas McCrea" <dmccrea () rutgers edu> writes:

> That's what I mean... Flow-Portscan works in the sense that it can be
> configured to show that a scan or attack is happening from one host to
> another, but it's totally useless without actually know what ports are
> being scanned... As an analyst, the information below is nearly useless
> to me. 

At most it will only keep the last machines scanned when outputting
via the pktkludge output. It's supposed to be a real time component to
give you something to alert on and then go look at NetFlow-esque data
from that around that alert timerange to find out what was actually
being scanned.

I'll be the first to admit configuring it's a PITA but it's good at
being consistent on memory usage.  It also suffers from it was shoved
into the same old output systems that everything else uses..

I think it also has way too many end user knobs exposed by default so
the command line configuration really sucks.

Cheers,
-- 
Chris Green <cmg () dok org>
"I have no ability to read string
       handling code in a gaim window" -- me



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users