Re: how to use port_scan with snort3.0

[Russ via Snort-users <snort-users () lists snort org>]

Hi,

Did you check the Snort++ user manual?  There is a section on 
port_scan.  It is similar to but updated from Snort 2.  You can use the 
default configurations like this:

    port_scan = default_med_port_scan

(taken from the example snort.lua) or you can copy and tweak any of the 
configs from snort_defaults.lua.  With Snort 3 port_scan is completely 
configurable so it is just a matter of tweaking the thresholds to meet 
your needs.

Hope that helps.
Russ

On 2/1/19 4:47 AM, sofardware via Snort-users wrote:
> Hi all，
>        who can tell me how to use port_scan with snort3.0 ？ Thanks.
>        I have try it 
> with \snortrules-snapshot-3000\etc\snort_defaults.lua and snort.lua  
> to  detect  scan from nmap, but  no any alert .
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
>         To unsubscribe, send an email to:
>         snort-users-leave () lists snort org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette