Snort mailing list archives
Re: sfportscan
From: Bryan Leavitt <dansagsun () gmail com>
Date: Thu, 26 May 2005 20:18:52 -0400
In general, I'd suggest reading both a) doc/README.sfportscan and b) the comments that are listed above the "preprocessor sfportscan" line in the snort.conf file. Having said that, I don't believe you can filter by port, but you can extensively filter by IPs. You may want to set "ignore_scanners { $HOME_NET }" if you're not concerned with outgoing scans. Perhaps set the sense_level to medium or low. -Bryan On 5/26/05, JJ Truax <jtruax () optivel com> wrote:
I'm getting to many false positives from sfportscan is there an equivialnt to the following for sfportscan from portscan2 to preprocessor portscan2-ignoreports-to: 80 25 53 443 161 preprocessor portscan2-ignoreports-from: 80 139 53 443 137 123 JJ
------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sfportscan JJ Truax (May 26)
- <Possible follow-ups>
- sfportscan JJ Truax (May 26)
- Re: sfportscan Bryan Leavitt (May 26)
- Re: sfportscan JJ Truax (May 26)
- Re: sfportscan Bryan Leavitt (May 26)