Re: Nmap -sT detection

[waldo kitty <wkitty42 () windstream net>]

On 7/24/2014 2:10 AM, Meysam Farazmand wrote:
> Hello all,
>
> As you know, in nmap, when we use -sT switch and set timing template to paranoid
> or polite, it's impossible for snort to detect port scan. So i have an idea. In
> snort rules,If we could say for example when more than five port accessed by one
> host in 1 hour, trigger an alert. So i wanted to know if it's possible to
> implement this idea in snort rules?

seems that thresholding via threshold.conf or in-rule detection_filter would be 
where you would look... here's a link to detection_filter

http://manual.snort.org/node538.html

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!