[Snort-users] Reducing portscan allerts in logfile
fygrave at ...121...
Tue Apr 3 07:21:22 EDT 2001
On Tue, Apr 03, 2001 at 12:33:18PM +0200, Markus Gronlund wrote:
> On Tue, 3 Apr 2001, Fyodor wrote:
> > On Tue, Apr 03, 2001 at 11:24:43AM +0200, Markus Gronlund wrote:
> > > Hello,
> > >
> > > Is there a way to make the portscan detector silent or only make a
> > > single message per portscan, not 3 diffrent allert messages,
> > > PORTSCAN DETECTED, portscan status, End of portscan...
> > >
> > > Running snort in -Afast mode..
> > >
> > You can turn off the portscan detector completely. If you want to
> > customize the messages which it gives, you will have to hack the source
> > though.
> Yes, but I still want the portscan.log file, just not having the
> alert-file clutterd with portscan status alerts.
> Ok, just tought I should check before making patches to the source,
> then thats what Ill do. (what would one do without opensource? :->)
Heh.. just comment out 'CallAlertFuncs()' entries in spp_portscan.c and you
will get this done.. Maybe we should add this 'feature' to snort so you could
maniplate it from snort.conf too, any opinions? :)
(keep in mind that we are affraid of 'creaping featurism' disease too, so if
not so many people find it useful, it is probably not needed :PPP)
More information about the Snort-users