Snort mailing list archives
Re: How many ports is considered a portsweep/portscan?
From: Nerijus Krukauskas <nkrukauskas () gmail com>
Date: Wed, 24 Mar 2010 14:12:04 +0200
On 2010-03-19, Russ Combs <rcombs () sourcefire com> wrote:
What version of Snort are you using? The latest version has event_filters that may do exactly what you want. Check out the README.filters for more.
Mine is 2.8.4. Will move to 2.8.6 as soon as the OS upgrade will permit, which is not in my control... Damn, can somebody change the mailing list settings, so that reply goes to the mailing list?
On Fri, Mar 19, 2010 at 2:43 AM, Nerijus Krukauskas <nkrukauskas () gmail com>wrote:Hi, On 2010-03-19, James Lay <jlay () slave-tothe-box net> wrote:I took a good solid read of the README for sfportscan, but at the end oftheday it seems that I¹m left with only a couple options of ignore_scanners, and ignore_scanned. Am I reading something wrong? These seem prettybinaryto me....unless there¹s a more granular level of control that I¹mmissing. You're not alone with this kind of feeling. I have it too. And I'm ignoring much of the portscan alerts, unless the statistical alert picture changes. -- http://nk99.org/ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- http://nk99.org/ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How many ports is considered a portsweep/portscan? James Lay (Mar 18)
- Re: How many ports is considered a portsweep/portscan? Matt Olney (Mar 18)
- Re: How many ports is considered a portsweep/portscan? James Lay (Mar 18)
- Re: How many ports is considered a portsweep/portscan? Nerijus Krukauskas (Mar 18)
- Re: How many ports is considered a portsweep/portscan? Russ Combs (Mar 19)
- Re: How many ports is considered a portsweep/portscan? Nerijus Krukauskas (Mar 24)
- Re: How many ports is considered a portsweep/portscan? Joel Esler (Mar 24)
- Re: How many ports is considered a portsweep/portscan? Ryan Jordan (Mar 24)
- Re: How many ports is considered a portsweep/portscan? Joel Esler (Mar 24)
- Re: How many ports is considered a portsweep/portscan? Nerijus Krukauskas (Mar 24)
- Re: How many ports is considered a portsweep/portscan? James Lay (Mar 18)
- Re: How many ports is considered a portsweep/portscan? Matt Olney (Mar 18)