RE: Portscan preprocessor tweaking

["John Berkers" <berjo () ozemail com au>]

STEALTH packets are always reported as a portscan, no tweaking will get rid
of them.

Not sure about that second one though, but it's an update and updates don't
necessarily need to match the detection criteria that caused it to start
getting logged in the first place.

John

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andrew J.
Bostaph
Sent: Wednesday, 16 May 2001 3:35
To: snort users
Subject: [Snort-users] Portscan preprocessor tweaking


I am trying to fine tune my portscan preprocessor.  I changed the
default:

preprocessor portscan: $HOME_NET 4 3  portscan.log

to:

preprocessor portscan: $HOME_NET 8 5  portscan.log

But I don't think it's working correctly now.  I keep seeing logs like:

May 15 12:13:22 sinus snort[31805]: spp_portscan: portscan status from
208.201.239.56: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
May 15 12:13:34 sinus snort[31805]: spp_portscan: portscan status from
129.59.100.1: 1 connections across 1 hosts: TCP(0), UDP(1)

1 connection across 1 host?  I was shooting for 8 connections (in 5
seconds) minimum.  Where did I go wrong?

Thanks,

Boa


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users