portscan-ignoreports

["Jonathan J. Hart" <jhart () ccs neu edu>]

Hi there,

First off, snort rules.  Second, the new snort site looks great. 

On a few of our busier machines, my portscan log seems to get very
large.  Ports 110 and 113 (pop, ident) make up most of the apparent
scans.  Whether or not these are in fact real scans, or there is some
wonkiness going on between two machines is a matter of opinion.  The
ability to ignore certain hosts when tracking portscan activity is very
handy, but I think that a feature that allows you to select certain ports
to ignore would be just as cool.  

Thoughts?

-jon


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users