Re: Portscan madness -- how to tweak

[Martin Roesch <roesch () sourcefire com>]

Are they UDP portscans or TCP portscans?  Are they coming from your DNS
server or elsewhere?  What version of Snort are you using?  Are the
scans from a few IP addresses all the time or from a bunch of different
sources?

     -Marty

chi-leung.wong () nokia com wrote:
> Hello everyone,
>
>         Sorry to be a bother, but I've been trying to get this portscan
> tweaked but it's killing me. Currently my alerts consists of 90%
> portscans and I can't seem to tweak it through rules or even the
> portscan-ignorehosts (might as well turn portscan off if using too much
> addresses). I have my IDS sitting at a traffic point on our router. My
> EXTERNAL_NET and HOME_NET is set to any since I'm detecting internal
> intrusions and not external. I'm just getting bombarded. All I can think
> of now is turn off portscan if everything fails. Anyone has any
> suggestions? Portscan options now is 7 3. Any help would be very much
> appreciated. Thank you.
>
> Cheers,
> -Alan
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users