Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How can you classify portscans in ACID uniqe alert screen...

From: "James MacKinnon" <pheonix32 () operamail com>
Date: Sun, 12 Jan 2003 06:29:00 +0800
    
Hi There,

The "unique alerts" web page displays alerts by classification. Port scans (detected by snort preprocessor) log into 
ACID fine, but are classified as "undefined".  If a classification is unavailable, ACID classifys a scan by the number 
of ports opened in 4 seconds. During long port scans this can cause a single portscan to be logged anywhere up to 20 
times in the "unique alerts" screen. 

To try and get around this I have created a custom rule with a classification and want this to be logged to acid when a 
portscan is detected.

How can I get the preprocessor to call that rule ???

Any ideas how to do this would be appreciated.

Using modified (snort 1.87)

Thanks  

Sheabo () esp co nz
-- 
_______________________________________________
Get your free email from http://mymail.operamail.com

Powered by Outblaze


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: