Portscan signatures

["Ron Shuck" <rshuck () Buchanan com>]

Hi,

Sorry.  $&*^%* ^*^&%&^-&**%&&in' Microsoft OWA!

I haven't found this is the archives, so I apologize if this is a
duplicate.
 
Has anyone noticed that even after deleting events, you have a lot of
portscan signatures clogging up the signature table? Normally, you
wouldn't care if a signature stayed in the database after deleting the
associated alert(s), but with portscans each one is unique to source, #
of targets, # of ports, and # of seconds. I just checked mine and I have
3185 "bogus" signatures now after only a couple months.
 
Is there a mechanism for cleaning these up someone has already done?

Ron Shuck, CISSP - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org

Attachment: smime.p7s
Description: