[Snort-users] Portscan madness -- how to tweak

chi-leung.wong at ...4477... chi-leung.wong at ...4477...
Sun Jan 6 19:36:02 EST 2002


Hello everyone,

	Sorry to be a bother, but I've been trying to get this portscan
tweaked but it's killing me. Currently my alerts consists of 90%
portscans and I can't seem to tweak it through rules or even the
portscan-ignorehosts (might as well turn portscan off if using too much
addresses). I have my IDS sitting at a traffic point on our router. My
EXTERNAL_NET and HOME_NET is set to any since I'm detecting internal
intrusions and not external. I'm just getting bombarded. All I can think
of now is turn off portscan if everything fails. Anyone has any
suggestions? Portscan options now is 7 3. Any help would be very much
appreciated. Thank you.

Cheers,
-Alan




More information about the Snort-users mailing list