Snort mailing list archives
Re: Tuning sfPortscan
From: Alex Gottschalk <agottschalk () letstalk com>
Date: Wed, 15 Mar 2006 10:22:28 -0800
Rob Ward wrote:
What I'd like to do, rather than disable the preprocessor, is see only alerts for scans to hosts on our network.
I'm having almost exactly the same issue, and would be very interested to know if anyone has worked out a good solution to this. For the time being, I've disabled the portsweep scan, since that seem to create the greatest number of useless alerts,
Solutions would be what Rob said above, or to be able to filter by port (as in, ignore "portsweeps" to EXTERNAL_NET on ports 80 and 443).
Alex #include <std-disclaimer.h> /-------------------------------------------------\ | Alex Gottschalk <agottschalk () letstalk com> | | IT Manager/Sysadmin, LetsTalk, Inc. | \-------------------------------------------------/ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tuning sfPortscan Rob Ward (Mar 13)
- Re: Tuning sfPortscan Alex Gottschalk (Mar 15)
- Re: Tuning sfPortscan Eric Hines (Mar 15)
- Re: Tuning sfPortscan Alex Gottschalk (Mar 15)
- Re: Tuning sfPortscan Rob . Ward (Mar 15)
- Re: Tuning sfPortscan Gentoo-Wally (Mar 16)
- Re: Tuning sfPortscan Eric Hines (Mar 15)
- Re: Tuning sfPortscan Alex Gottschalk (Mar 15)