[Snort-users] Multiple triggers on portscan plugin
Kenny.Elmore at ...758...
Mon Nov 6 17:22:54 EST 2000
I would like to set more than one threshold on portscans.
I have written a perl script to shun scanners by writing to an acl on the router
to block the IP Address. However, I find that in 10 seconds the scanner is able
to get in a scan of over 1000 hosts in some cases. By also setting a threshold
of 10 in 1 second, I could stop the fast scans much quicker.
I would also like to detect 120 connection attempts in 120 seconds (which may
not set off either one of the other rules) to catch slow scanners.
Will what I have below work? If not, is there a way to do it, or if so, is there
a better way to do it?
preprocessor portscan: $HOME_NET 10 1 /opt/snort/logs/ps.log
preprocessor portscan: $HOME_NET 25 10 /opt/snort/logs/ps.log
preprocessor portscan: $HOME_NET 120 120 /opt/snort/logs/ps.log
preprocessor portscan-ignorehosts: $IGNORE_HOSTS
Kenny Elmore, Network Engineer
Information Technology Services
230 Appleton Place
142 Hill Center/PD Box 34
Nashville, Tennessee 37203
Kenny.Elmore at ...759...
More information about the Snort-users