[Snort-sigs] good settings for portscan preprocessor?
j.riden at ...1766...
Thu Nov 13 12:56:03 EST 2003
David Wilburn <dwilburn at ...8...> writes:
> I've never had any good luck with the portscan preprocessor with Snort
> in any network I've used it on with the default settings, regardless
> of my host filtering. Does anyone here have any recommendations on a
> good setting that they've used in a large-ish network?
> By the way, I'm using the original portscan preprocessor, not
> portscan2, due to my using Snort in conjunction with SGUIL.
> -Dave Wilburn
FWIW "preprocessor portscan: any 20 5 portscan.log"
But I usually do some simple post-processing on portscan.log to pick
up how many times and in what pattern a particular machine is active.
(basically - add source IP to hash table for counting and then
distinguish between 135-139, 25 and other destination ports.)
James Riden / j.riden at ...1766... / Systems Programmer - Security
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
Tel: +64 6 3569099 ext. 7402 / mobile: 025 671 6418
More information about the Snort-sigs