[Snort-users] guardian + snort

Dariusz Brzeziński dariusz.brzezinski at ...3372...
Sat Sep 8 04:25:01 EDT 2001

Hello to all - I'm new here :-)

I don't know if someone of you is using snort+guardian, but I'd like
to have one question:
Why does guardian sees

[**] [1:1002:1]  <ppp0> WEB-IIS cmd.exe access [**]

in snort's alert file and correctly blocks it and DOES NOT see:

[**] [100:1:1]  <ppp0> spp_portscan: PORTSCAN DETECTED on ppp0 from (THRESHOLD 4 connections exceeded in 0 seco

[**] [100:2:1]  <ppp0> spp_portscan: portscan status from 44 connections across 1 hosts: TCP(44), UDP(0) [**]

In the end it blocks less important things and does not portscanning.

TIA for help


Best regards,
 Dariusz                          mailto:dariusz.brzezinski at ...3372...

More information about the Snort-users mailing list