[Snort-devel] How does fixed, sliding threshold in flow-portscan preprocessor working?

Lerdpong Lerdpaisarnwong lerdpong at ...445...
Mon Jun 11 02:26:29 EDT 2007


I configed preprocessor flow-portscan   like below
 
preprocessor flow-portscan: \ server-watchnet [10.0.0.0/8] \talker-sliding-scale-factor 0 \unique-memcap 5000000 unique-rows 50000 \talker-fixed-window 1 \talker-sliding-window 1 \talker-sliding-threshold 10 \ talker-fixed-threshold 10 \tcp-penalties on \server-scanner-limit 50 \ alert-mode all \ output-mode pktkludge
 
 
>From my understanding, fixed and sliding threshold should be as I have configed (which is 10 for both sliding and fixed threshold ) but there were some alert that didn't have threshold as I have configed like below
 
Portscan detect from 161.200.92.12 Talker(fixed:10 sliding: 10) Scanner(fixed:0 sliding: 0)...Portscan detect from 161.200.92.12 Talker(fixed:10 sliding: 9) Scanner(fixed:0 sliding: 0)...Portscan detect from 161.200.92.12 Talker(fixed:1 sliding: 10) Scanner(fixed:0 sliding: 0)...Portscan detect from 161.200.92.12 Talker(fixed:10 sliding: 9) Scanner(fixed:0 sliding: 0)...Portscan detect from 161.200.92.12 Talker(fixed:1 sliding: 10) Scanner(fixed:0 sliding: 0)...Portscan detect from 161.200.92.12 Talker(fixed:10 sliding: 9) Scanner(fixed:0 sliding: 0)...Portscan detect from 161.200.92.12 Talker(fixed:1 sliding: 10) Scanner(fixed:0 sliding: 0)...Portscan detect from 161.200.92.12 Talker(fixed:10 sliding: 10) Scanner(fixed:0 sliding: 0)...
 
 
So What does it mean ?Is it  a bug in preprocessor ?Or I miss some point of flow-portscan ?
 
 
 
_________________________________________________________________
Windows Live Spaces is here! It’s easy to create your own personal Web site.
http://spaces.live.com/?mkt=th-th
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20070611/1d17de4e/attachment.html>


More information about the Snort-devel mailing list