Portscan2 to detect RPC and other similar worms?

["William Tan" <bill () wwtan com>]

Many of the recent worms tend to exhibit themselves by scanning the same port (say tcp 135) on hundreds of hosts in a 
short period of time.  Can the portscan2 preprocessor be used to detect this kind of behaviour?

I have experimented briefly with the target_limit and port_limit parameters.  I set target_limit=512 and port_limit=1, 
but it seems that this triggers a port scan alert if either condition is met.  What I really want is for both 
conditions to be met.

My goal is to use portscan2 to detect infected hosts on my home network (by ignoring $EXTERNAL_NET) with portscan2.  Is 
there a better way to do this within Snort?

Thanks.

W Tan