Portscan Detection

[eric-dated-1083277626.193075aa63e273 () catastrophe net]

For those using snort on extremely busy networks or academic
networks, what type of portscan rulesets are you using? We have
about 8000 nodes on our network and see scans going by all day long,
but would like to keep reports down to a minimum...maybe like once
an hour...and do it only with snort and other tools such as grep,
awk, sed, etc..

We've gotten fairly good at thresholding scans to 135/tcp and other
normal noise by requiring 520 connections in 600 seconds, etc., but
would like to know how other folks are doing it :)

Thanks.

- Eric


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users