Snort mailing list archives
Portscan signatures
From: "Ron Shuck" <rshuck () Buchanan com>
Date: Wed, 12 Feb 2003 19:36:42 -0600
Hi, Sorry. $&*^%* ^*^&%&^-&**%&&in' Microsoft OWA! I haven't found this is the archives, so I apologize if this is a duplicate. Has anyone noticed that even after deleting events, you have a lot of portscan signatures clogging up the signature table? Normally, you wouldn't care if a signature stayed in the database after deleting the associated alert(s), but with portscans each one is unique to source, # of targets, # of ports, and # of seconds. I just checked mine and I have 3185 "bogus" signatures now after only a couple months. Is there a mechanism for cleaning these up someone has already done? Ron Shuck, CISSP - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org
Attachment:
smime.p7s
Description:
Current thread:
- Portscan signatures Ron Shuck (Feb 12)
- <Possible follow-ups>
- Portscan signatures Ron Shuck (Feb 12)