[Snort-users] guardian + snort
dariusz.brzezinski at ...3372...
Sat Sep 8 04:25:01 EDT 2001
Hello to all - I'm new here :-)
I don't know if someone of you is using snort+guardian, but I'd like
to have one question:
Why does guardian sees
[**] [1:1002:1] <ppp0> WEB-IIS cmd.exe access [**]
in snort's alert file and correctly blocks it and DOES NOT see:
[**] [100:1:1] <ppp0> spp_portscan: PORTSCAN DETECTED on ppp0 from 22.214.171.124 (THRESHOLD 4 connections exceeded in 0 seco
[**] [100:2:1] <ppp0> spp_portscan: portscan status from 126.96.36.199: 44 connections across 1 hosts: TCP(44), UDP(0) [**]
In the end it blocks less important things and does not portscanning.
TIA for help
Dariusz mailto:dariusz.brzezinski at ...3372...
More information about the Snort-users