[Snort-devel] Portscan2 suggestion

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Mon Oct 7 07:37:03 EDT 2002

Since the Source IP of portscans is recorded in the iphdr table,
wouldn't it make sense to simplify the signature created and remove the
from X.X.X.X part?  Would also make management of snort easier, and
allow for easier grouping of signatures to look for patterns.

Another possible item.   What about storing a list of all the dest IPs
in the data output if there's more than one?  Or, what about another
table just to store portscan information so that so many unique sigs
aren't created.   Certainly targets, ports, seconds should be stored
separate of the sig..

More information about the Snort-devel mailing list