Portscan2 filtering suggestions - Snort 1.9.0 & acid

["Beckett, Josh" <JBeckett () enviance com>]

I'm trying to tune out the false positives triggered by my users going
to a website and the ensuing http conversation opening up many ports.

I've upped the portscan2 preprocessor port_limit value from default to
20 and then to 25.  Each time I increase the value, the alerts continue
to trigger at the new, higher threshold.

I understand what is going on at the tcp level but I am concerned that
the more I increase the threshold, the greater my chances of missing a
real scan.

In the reported alerts, the target value is always 1, which makes sense,
so I haven't messed with the portscan2 target value.  The alerts are
often under 5-10 seconds so adjusting the timeout would seem to have
little positive effect without an equal negative effect of increasing
the potential for missing true positives.

Any suggestions, thoughts, criticisms on what other adjustments I could
make (other than the obvious of keep crankin' up the port_limit and
lower the timeout)?

Josh Beckett
CISSP
Enviance.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users