Snort mailing list archives
Portscan2 filtering suggestions - Snort 1.9.0 & acid
From: "Beckett, Josh" <JBeckett () enviance com>
Date: Wed, 9 Oct 2002 13:37:37 -0700
I'm trying to tune out the false positives triggered by my users going to a website and the ensuing http conversation opening up many ports. I've upped the portscan2 preprocessor port_limit value from default to 20 and then to 25. Each time I increase the value, the alerts continue to trigger at the new, higher threshold. I understand what is going on at the tcp level but I am concerned that the more I increase the threshold, the greater my chances of missing a real scan. In the reported alerts, the target value is always 1, which makes sense, so I haven't messed with the portscan2 target value. The alerts are often under 5-10 seconds so adjusting the timeout would seem to have little positive effect without an equal negative effect of increasing the potential for missing true positives. Any suggestions, thoughts, criticisms on what other adjustments I could make (other than the obvious of keep crankin' up the port_limit and lower the timeout)? Josh Beckett CISSP Enviance.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan2 filtering suggestions - Snort 1.9.0 & acid Beckett, Josh (Oct 09)
- <Possible follow-ups>
- RE: Portscan2 filtering suggestions - Snort 1.9.0 & acid Beckett, Josh (Oct 09)