[Snort-users] Reducing portscan allerts in logfile

Fyodor fygrave at ...121...
Tue Apr 3 07:21:22 EDT 2001


On Tue, Apr 03, 2001 at 12:33:18PM +0200, Markus Gronlund wrote:
> On Tue, 3 Apr 2001, Fyodor wrote:
> 
> > On Tue, Apr 03, 2001 at 11:24:43AM +0200, Markus Gronlund wrote:
> > > Hello,
> > > 
> > > Is there a way to make the portscan detector silent or only make a
> > > single message per portscan, not 3 diffrent allert messages, 
> > > PORTSCAN DETECTED, portscan status, End of portscan...
> > > 
> > > Running snort in -Afast mode.. 
> > > 
> > 
>  > You can turn off the portscan detector completely. If you want to
>  > customize the messages which it gives, you will have to hack the source
>  > though.
> 
> Yes, but I still want the portscan.log file, just not having the 
> alert-file clutterd with portscan status alerts.
> Ok, just tought I should check before making patches to the source,
> then thats what Ill do. (what would one do without opensource? :->)
> 

Heh.. just comment out 'CallAlertFuncs()' entries in spp_portscan.c and you
will get this done.. Maybe we should add this 'feature' to snort so you could
maniplate it from snort.conf too, any opinions? :)

(keep in mind that we are affraid of 'creaping featurism' disease too, so if
not so many people find it useful, it is probably not needed :PPP)


-Fyodor




More information about the Snort-users mailing list