[Snort-users] Multiple triggers on portscan plugin

Kenny Elmore Kenny.Elmore at ...758...
Mon Nov 6 17:22:54 EST 2000

I would like to set more than one threshold on portscans.

I have written a perl script to shun scanners by writing to an acl on the router
to block the IP Address. However, I find that in 10 seconds the scanner is able
to get in a scan of over 1000 hosts in some cases. By also setting a threshold
of 10 in 1 second, I could stop the fast scans much quicker.

I would also like to detect 120 connection attempts in 120 seconds (which may
not set off either one of the other rules) to catch slow scanners.

Will what I have below work? If not, is there a way to do it, or if so, is there
a better way to do it?

preprocessor portscan: $HOME_NET 10 1  /opt/snort/logs/ps.log
preprocessor portscan: $HOME_NET 25 10 /opt/snort/logs/ps.log
preprocessor portscan: $HOME_NET 120 120 /opt/snort/logs/ps.log
preprocessor portscan-ignorehosts: $IGNORE_HOSTS


Kenny Elmore, Network Engineer
Vanderbilt University
Information Technology Services
230 Appleton Place
142 Hill Center/PD Box 34
Nashville, Tennessee  37203

Kenny.Elmore at ...759...

More information about the Snort-users mailing list