Snort mailing list archives
Portscan Detection
From: eric-dated-1083277626.193075aa63e273 () catastrophe net
Date: Sat, 10 Apr 2004 14:08:07 -0500
For those using snort on extremely busy networks or academic networks, what type of portscan rulesets are you using? We have about 8000 nodes on our network and see scans going by all day long, but would like to keep reports down to a minimum...maybe like once an hour...and do it only with snort and other tools such as grep, awk, sed, etc.. We've gotten fairly good at thresholding scans to 135/tcp and other normal noise by requiring 520 connections in 600 seconds, etc., but would like to know how other folks are doing it :) Thanks. - Eric ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan Detection eric-dated-1083277626 . 193075aa63e273 (Apr 10)