[Snort-sigs] good settings for portscan preprocessor?

James Riden j.riden at ...1766...
Thu Nov 13 12:56:03 EST 2003

David Wilburn <dwilburn at ...8...> writes:

> I've never had any good luck with the portscan preprocessor with Snort
> in any network I've used it on with the default settings, regardless
> of my host filtering.  Does anyone here have any recommendations on a
> good setting that they've used in a large-ish network?
> By the way, I'm using the original portscan preprocessor, not
> portscan2, due to my using Snort in conjunction with SGUIL.
> -Dave Wilburn

FWIW "preprocessor portscan: any 20 5 portscan.log"

But I usually do some simple post-processing on portscan.log to pick
up how many times and in what pattern a particular machine is active.
(basically - add source IP to hash table for counting and then
distinguish between 135-139, 25 and other destination ports.)

James Riden / j.riden at ...1766... / Systems Programmer - Security
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
Tel: +64 6 3569099 ext. 7402 / mobile: 025 671 6418

More information about the Snort-sigs mailing list