[Snort-users] ACID + spp_portscan

dmuz dmuz at ...2089...
Thu May 24 15:55:31 EDT 2001


On Thu, May 24, 2001 at 02:30:26PM +0000, roman at ...438... said:
> - In the extremely near future, ACID could merely ignore
> "spp_portscans" in the unique alerts page, and create another
> page which merely lists these messages?  Any interest?

This sounds like a good way to deal with the issue. Perhaps a config var
that can control whether to split spp_portscan alerts out to another
page? This way you can still include them in the main alert view if you
desire.

> - Snort internals need to be changed so that pre-processor
> alerts communitcate in a well-formed manner with 
> output plugins.  This will eliminate 1-signature per every
> portscan.

Can anyone chime in on what the current plans are to in this respect? 

> 
> Roman
> 
> > Hi all,
> > 
> > 	any idea how I can avoid having lots of different
> > "signatures" generated by spp_portscan in my database?  At
> > the moment they are making the "unique signatures" page a
> > little unreadable.
> > 
> > cheers
> > 
> > 	Tom

-- 
dmuz
http://sec.angrypacket.com/




More information about the Snort-users mailing list