flow-portscan really suitable ???

[BIZOU <bizou () voila fr>]

Hi,

I've been working on snort 2.1.1 for a few days. I was previously with snort 2.0.5.
I had to change my portscan2 configuration into flow-portscan and ... well i dislike it
Indeed, i tuned my portscan2 preprocessor with scanner-max 256, target_max 1024, target_limit 30, port_limit 40, 
timeout 40
and it was quite fine. I used portscan2-ignorehost and ignore-port too. I catched MydoomB scans, Blaster.C or B (don't 
remember) scans, nmap scan....
Now with flow-portscan, i have nothing except flase positive scans
I'm managing 6 NIDS in a wide environment so i cannot define a HOME_NET or wathever defined variable

When i watched at my prelude reporting GUI this morning (i use a prelude framework for alerting) i only saw false scan 
alerts. I tried to configure flow-portscan in several way, i cannot succeed in having correct results

So please, 
1 - tell me that it wil be possible again to use portscan2 in future releases
2 - Tell me a way to configure correctly and simply flow-portscan (without a learning time )
3 - Tell me a way to add flow-portscan ignore port from
4 - Tell me that destination port will be present in pktkludge soon


------------------------------------------

Faites un voeu et puis Voila ! www.voila.fr 




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users