[Snort-devel] RFE: ignore_ports option for sfportscan preprocessor
Alex Butcher, ISC/ISYS
Alex.Butcher at ...2437...
Mon Feb 14 05:56:04 EST 2005
--On 11 February 2005 07:31 -0800 Jay Beale <jay at ...2665...> wrote:
> Alex Butcher, ISC/ISYS wrote:
>> Hi -
>> As P2P traffic looks a lot like portscanning, it'd be nice to be able to
>> tell sfportscan to ignore the common P2P ports. Sadly, I suspect this
>> would be quite difficult to add with Snort <= 2.3.0.
>> Any comments?
>> Best Regards,
> First, let me preface this by saying that I'm not one of the Snort
> developers. What I outline below could be completely insane or
Sorry - when I said 'difficult', I probably should have qualified that by
adding 'to do efficiently'!
> The requirement itself might be the wrong way to go about
> the problem.
Indeed. Blocking P2P might well be a better option. ;-)
Thanks for your suggestions, anyway. I might have a hack around...
> - Jay
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-devel