Snort mailing list archives
Re: Nmap -sT detection
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 24 Jul 2014 15:09:55 -0400
On 7/24/2014 2:10 AM, Meysam Farazmand wrote:
Hello all, As you know, in nmap, when we use -sT switch and set timing template to paranoid or polite, it's impossible for snort to detect port scan. So i have an idea. In snort rules,If we could say for example when more than five port accessed by one host in 1 hour, trigger an alert. So i wanted to know if it's possible to implement this idea in snort rules?
seems that thresholding via threshold.conf or in-rule detection_filter would be where you would look... here's a link to detection_filter http://manual.snort.org/node538.html -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Nmap -sT detection Meysam Farazmand (Jul 23)
- Re: Nmap -sT detection waldo kitty (Jul 24)