Snort mailing list archives
Re: sfportscan tuning
From: Joel Esler <joel.esler () sourcefire com>
Date: Wed, 12 Mar 2008 08:00:00 -0400
Have you looked that the readme? -- Joel Esler Sent from the iRoad.On Mar 12, 2008, at 12:47 AM, "Kamran Shafi" <kamran.shafi () gmail com> wrote:
Oops guess I replied to personal address.On Wed, Mar 12, 2008 at 3:45 PM, Kamran Shafi <kamran.shafi () gmail com> wrote:Thanks for a quick reply Joel,In the conf file there are apparently only three levels (low, medium and high) of sensitivity that you can set for sfportscan preprocessor which I believe have their thresholds set internally. I understand that the local and global thresholds can be configured using threshold directives at rule level or globally but that does not seem to effect the preprocessor settings. I am actually simulating some scanning activity which is being detected by the portscan preprocessor, but I want snort to alert more often than it is doing with the high sensitivity.What am I missing and sorry for my ignorance :(.On Wed, Mar 12, 2008 at 11:24 AM, Joel Esler <joel.esler () sourcefire com > wrote: Take a look at the snort.conf file in the etc/ directory. All your config options are in there. The README is in doc/J On Mar 11, 2008, at 8:10 PM, Kamran Shafi wrote:Hi all,Do I need to change the threshold settings of portscan preprocessor in src/preprocessors/portscan.c or is there a softer way of changing the thresholds for the alerts generated by this preprocessor??Do I need to uninstall Snort first when I modify the .c file and then recompile? I earlier installed Snort using the package manager, I guess after doing this change I will just need to follow the standard sequence of makemake clean ./configure make make installAm I right or missing some step? Sorry if its a very basic question - just didn't want to stuff up my existing setup.-- RegardsKam --- --- -------------------------------------------------------------------This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler joel.esler () sourcefire com -- Regards Kamran Shafi +61 41 824 9510 -- Regards Kamran Shafi +61 41 824 9510--- ----------------------------------------------------------------------This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sfportscan tuning Kamran Shafi (Mar 11)
- Re: sfportscan tuning Joel Esler (Mar 11)
- Message not available
- Re: sfportscan tuning Kamran Shafi (Mar 11)
- Re: sfportscan tuning Joel Esler (Mar 12)
- Re: sfportscan tuning Kamran Shafi (Mar 12)
- Message not available
- Re: sfportscan tuning Joel Esler (Mar 11)