[Snort-users] Portscan preprocessor tweaking

Andrew J. Bostaph abostaph at ...770...
Tue May 15 13:34:53 EDT 2001


I am trying to fine tune my portscan preprocessor.  I changed the
default:

preprocessor portscan: $HOME_NET 4 3  portscan.log

to:

preprocessor portscan: $HOME_NET 8 5  portscan.log

But I don't think it's working correctly now.  I keep seeing logs like:

May 15 12:13:22 sinus snort[31805]: spp_portscan: portscan status from
208.201.239.56: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
May 15 12:13:34 sinus snort[31805]: spp_portscan: portscan status from
129.59.100.1: 1 connections across 1 hosts: TCP(0), UDP(1)

1 connection across 1 host?  I was shooting for 8 connections (in 5
seconds) minimum.  Where did I go wrong?

Thanks,

Boa





More information about the Snort-users mailing list