[Snort-users] NEWBIE: portscan tuning

eboo at ...2198... eboo at ...2198...
Thu Oct 25 23:45:06 EDT 2001

Hi all,

Sorry if this has been asked before. I've read the manual but still am not
sure what I am doing wrong.

I get portscan alerts from snort when I access the web:

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from a.b.c.d
(THRESHOLD 5 connections exceeded in 6 seconds) [**]


var DNS_SERVERS a.b.c.d

preprocessor portscan: $HOME_NET 4 3 portscan.log
(i've also tried commenting out the above line, same effect)

preprocessor portscan-ignorehosts: $DNS_SERVERS

How do I prevent get snort to not report portscans from my machine or
any network which I specify?



More information about the Snort-users mailing list