Snort mailing list archives
Re: sfportscan tuning
From: "Kamran Shafi" <kamran.shafi () gmail com>
Date: Wed, 12 Mar 2008 15:47:42 +1100
Oops guess I replied to personal address. On Wed, Mar 12, 2008 at 3:45 PM, Kamran Shafi <kamran.shafi () gmail com> wrote:
Thanks for a quick reply Joel, In the conf file there are apparently only three levels (low, medium and high) of sensitivity that you can set for sfportscan preprocessor which I believe have their thresholds set internally. I understand that the local and global thresholds can be configured using threshold directives at rule level or globally but that does not seem to effect the preprocessor settings. I am actually simulating some scanning activity which is being detected by the portscan preprocessor, but I want snort to alert more often than it is doing with the high sensitivity. What am I missing and sorry for my ignorance :(. On Wed, Mar 12, 2008 at 11:24 AM, Joel Esler <joel.esler () sourcefire com> wrote:Take a look at the snort.conf file in the etc/ directory. All your config options are in there. The README is in doc/ J On Mar 11, 2008, at 8:10 PM, Kamran Shafi wrote: Hi all, Do I need to change the threshold settings of portscan preprocessor in src/preprocessors/portscan.c or is there a softer way of changing the thresholds for the alerts generated by this preprocessor?? Do I need to uninstall Snort first when I modify the .c file and then recompile? I earlier installed Snort using the package manager, I guess after doing this change I will just need to follow the standard sequence of make make clean ./configure make make install Am I right or missing some step? Sorry if its a very basic question - just didn't want to stuff up my existing setup. -- Regards Kam ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler joel.esler () sourcefire com-- Regards Kamran Shafi +61 41 824 9510
-- Regards Kamran Shafi +61 41 824 9510
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sfportscan tuning Kamran Shafi (Mar 11)
- Re: sfportscan tuning Joel Esler (Mar 11)
- Message not available
- Re: sfportscan tuning Kamran Shafi (Mar 11)
- Re: sfportscan tuning Joel Esler (Mar 12)
- Re: sfportscan tuning Kamran Shafi (Mar 12)
- Message not available
- Re: sfportscan tuning Joel Esler (Mar 11)