Snort mailing list archives
How can you classify portscans in ACID uniqe alert screen...
From: "James MacKinnon" <pheonix32 () operamail com>
Date: Sun, 12 Jan 2003 06:29:00 +0800
Hi There, The "unique alerts" web page displays alerts by classification. Port scans (detected by snort preprocessor) log into ACID fine, but are classified as "undefined". If a classification is unavailable, ACID classifys a scan by the number of ports opened in 4 seconds. During long port scans this can cause a single portscan to be logged anywhere up to 20 times in the "unique alerts" screen. To try and get around this I have created a custom rule with a classification and want this to be logged to acid when a portscan is detected. How can I get the preprocessor to call that rule ??? Any ideas how to do this would be appreciated. Using modified (snort 1.87) Thanks Sheabo () esp co nz -- _______________________________________________ Get your free email from http://mymail.operamail.com Powered by Outblaze ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How can you classify portscans in ACID uniqe alert screen... James MacKinnon (Jan 11)