[Snort-users] Portscan preprocessor tweaking
berjo at ...827...
Wed May 16 05:50:54 EDT 2001
STEALTH packets are always reported as a portscan, no tweaking will get rid
Not sure about that second one though, but it's an update and updates don't
necessarily need to match the detection criteria that caused it to start
getting logged in the first place.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Andrew J.
Sent: Wednesday, 16 May 2001 3:35
To: snort users
Subject: [Snort-users] Portscan preprocessor tweaking
I am trying to fine tune my portscan preprocessor. I changed the
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan: $HOME_NET 8 5 portscan.log
But I don't think it's working correctly now. I keep seeing logs like:
May 15 12:13:22 sinus snort: spp_portscan: portscan status from
184.108.40.206: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
May 15 12:13:34 sinus snort: spp_portscan: portscan status from
220.127.116.11: 1 connections across 1 hosts: TCP(0), UDP(1)
1 connection across 1 host? I was shooting for 8 connections (in 5
seconds) minimum. Where did I go wrong?
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users