[Snort-users] Portscan preprocessor tweaking

John Berkers berjo at ...827...
Wed May 16 05:50:54 EDT 2001


STEALTH packets are always reported as a portscan, no tweaking will get rid
of them.

Not sure about that second one though, but it's an update and updates don't
necessarily need to match the detection criteria that caused it to start
getting logged in the first place.

John

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Andrew J.
Bostaph
Sent: Wednesday, 16 May 2001 3:35
To: snort users
Subject: [Snort-users] Portscan preprocessor tweaking


I am trying to fine tune my portscan preprocessor.  I changed the
default:

preprocessor portscan: $HOME_NET 4 3  portscan.log

to:

preprocessor portscan: $HOME_NET 8 5  portscan.log

But I don't think it's working correctly now.  I keep seeing logs like:

May 15 12:13:22 sinus snort[31805]: spp_portscan: portscan status from
208.201.239.56: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
May 15 12:13:34 sinus snort[31805]: spp_portscan: portscan status from
129.59.100.1: 1 connections across 1 hosts: TCP(0), UDP(1)

1 connection across 1 host?  I was shooting for 8 connections (in 5
seconds) minimum.  Where did I go wrong?

Thanks,

Boa


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list