Snort mailing list archives
RE: Portscan preprocessor tweaking
From: "John Berkers" <berjo () ozemail com au>
Date: Wed, 16 May 2001 19:50:54 +1000
STEALTH packets are always reported as a portscan, no tweaking will get rid of them. Not sure about that second one though, but it's an update and updates don't necessarily need to match the detection criteria that caused it to start getting logged in the first place. John -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andrew J. Bostaph Sent: Wednesday, 16 May 2001 3:35 To: snort users Subject: [Snort-users] Portscan preprocessor tweaking I am trying to fine tune my portscan preprocessor. I changed the default: preprocessor portscan: $HOME_NET 4 3 portscan.log to: preprocessor portscan: $HOME_NET 8 5 portscan.log But I don't think it's working correctly now. I keep seeing logs like: May 15 12:13:22 sinus snort[31805]: spp_portscan: portscan status from 208.201.239.56: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH May 15 12:13:34 sinus snort[31805]: spp_portscan: portscan status from 129.59.100.1: 1 connections across 1 hosts: TCP(0), UDP(1) 1 connection across 1 host? I was shooting for 8 connections (in 5 seconds) minimum. Where did I go wrong? Thanks, Boa _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan preprocessor tweaking Andrew J. Bostaph (May 15)
- RE: Portscan preprocessor tweaking John Berkers (May 16)