[Snort-users] Scan Proxy
toganm at ...603...
Tue Apr 24 03:04:56 EDT 2001
On Tue, Apr 24, 2001 at 02:45:21AM -0400, Brian Caswell wrote:
> Did that have portscans setup correctly? You might want to check the
> portscan settings, it might be too tightly wound for your uses.
I assume your first question regarding portscans is for 1.8. Please find it below this is from my current snort.conf
var HOME_NET any
var EXTERNAL_NET any
var SMTP $HOME_NET
# Set up your web servers, or simply configure them
# to HOME_NET
#var HTTP_SERVERS $HOME_NET
# Define the addresses of DNS servers and other hosts
# if you want to ignore portscan false alarms from them...
var DNS_SERVERS $HOME_NET
preprocessor minfrag: 128
# use one or the other, not both!
#preprocessor stream: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
# Use one or more syslog facilities as arguments
output alert_syslog: LOG_AUTH LOG_ALERT
the classification.config is the default that comes with the source
> in classificaation.config of course. I'm writing a README.priority,
> but for now the documentation in classification.config should be
> enough to start.
ehm looks like I need more coffee Sorry
> Correct. SF has been notified of the change, but they are massively
> busy over there. Too many exploits, too many vulnerabilities, too
> little time. I've been told 'soon'. Give em a bit of time. 1.8
> hasn't been released yet, so they have a short bit of time :)
Relief on that point Thanks
More information about the Snort-users