Tuning sfPortscan

[Rob Ward <rob.ward () liverpool ac uk>]

Hi, one of my sensors is generating a lot of noise from sfPortscan. The 
alerts are generated correctly (the sensor is monitoring our residential 
network) mostly by p2p traffic. The problem I have is they're filling my 
database and causing a performance issue.

What I'd like to do, rather than disable the preprocessor, is see only 
alerts for scans to hosts on our network. I've added our address range as 
'watch_ip' but what I'd like to do is use the equivalent of EXTERNAL_NET 
from snort.conf for 'ignore_scanned'. Unless I've missed something there 
isn't an equivalent for sfPortscan?

Rob Ward
University of Liverpool
Computing Services Department


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users