Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tuning sfPortscan

From: Alex Gottschalk <agottschalk () letstalk com>
Date: Wed, 15 Mar 2006 11:14:26 -0800
Eric Hines wrote:


You guys really should be using the preprocessor's tuning options built
in to sfportscan rather than disabling things. Check out the
ignore_scanners and ignore_scanned directives, play with the sensitivity
level, etc..
Having done quite a bit of googling and reading of the snort manual, it seems like there isn't really any way of putting something along the lines of "! $HOME_NET" into the ignore_scanned field. Or specifying certain ports to ignore. 


Turning things off entirely because of false positives is a really bad
practice..
I did not turn off sfportscan entirely -- I turned off the portsweep scan_type because that was where 99% of the false positives were. I'd like to turn it on again, but not if it's going to fill my logs with bogus results. 

--Alex


--
/--------------------------------------------------\
| Alex Gottschalk <agottschalk () letstalk com>       |
| LetsTalk, Inc. -- IT Manager/Sysadmin            |
\--------------------------------------------------/


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: