Re: Snort rules setup.

[Joel Esler <eslerj () gmail com>]

I suggest that you don't threshold these alerts.  If you don't want  
to see them at all, suppress them.

These are not "Errors", they are alerts of an Open Port Detection  
through the sfportscan preprocessor.  Check out the documentation on  
both the preprocessor and Suppression in the Snort manual.

You also might want to check out the Snort-Users list.

Joel


On Nov 30, 2005, at 2:13 PM, phunked up! wrote:

> I am trying to get rid of the errors of: "(portscan) Open Port" in my
> Snort logs.  They are filling it up quite fast.  I have put a line in
> the threshold.conf file and enabled that file in the snort.conf file
> but that has done nothing so far.
>
> Setup is Centos/MySQL/Snort/BASE.  Any advice would be much  
> appreciated.
>
> Thanks!
>
> ---------------------------------------------------------------------- 
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- 
> ids_040708
> to learn more.
> ---------------------------------------------------------------------- 
> --


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------