Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Portscan preprocessor tweaking

From: "Andrew J. Bostaph" <abostaph () usa net>
Date: Tue, 15 May 2001 12:34:53 -0500
I am trying to fine tune my portscan preprocessor.  I changed the
default:

preprocessor portscan: $HOME_NET 4 3  portscan.log

to:

preprocessor portscan: $HOME_NET 8 5  portscan.log

But I don't think it's working correctly now.  I keep seeing logs like:

May 15 12:13:22 sinus snort[31805]: spp_portscan: portscan status from
208.201.239.56: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
May 15 12:13:34 sinus snort[31805]: spp_portscan: portscan status from
129.59.100.1: 1 connections across 1 hosts: TCP(0), UDP(1)

1 connection across 1 host?  I was shooting for 8 connections (in 5
seconds) minimum.  Where did I go wrong?

Thanks,

Boa


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: