[Snort-users] ACID + spp_portscan
dmuz at ...2089...
Thu May 24 15:55:31 EDT 2001
On Thu, May 24, 2001 at 02:30:26PM +0000, roman at ...438... said:
> - In the extremely near future, ACID could merely ignore
> "spp_portscans" in the unique alerts page, and create another
> page which merely lists these messages? Any interest?
This sounds like a good way to deal with the issue. Perhaps a config var
that can control whether to split spp_portscan alerts out to another
page? This way you can still include them in the main alert view if you
> - Snort internals need to be changed so that pre-processor
> alerts communitcate in a well-formed manner with
> output plugins. This will eliminate 1-signature per every
Can anyone chime in on what the current plans are to in this respect?
> > Hi all,
> > any idea how I can avoid having lots of different
> > "signatures" generated by spp_portscan in my database? At
> > the moment they are making the "unique signatures" page a
> > little unreadable.
> > cheers
> > Tom
More information about the Snort-users