[Snort-users] Portscan madness -- how to tweak

Martin Roesch roesch at ...1935...
Sun Jan 6 21:48:02 EST 2002


Are they UDP portscans or TCP portscans?  Are they coming from your DNS
server or elsewhere?  What version of Snort are you using?  Are the
scans from a few IP addresses all the time or from a bunch of different
sources?

     -Marty

chi-leung.wong at ...4477... wrote:
> 
> Hello everyone,
> 
>         Sorry to be a bother, but I've been trying to get this portscan
> tweaked but it's killing me. Currently my alerts consists of 90%
> portscans and I can't seem to tweak it through rules or even the
> portscan-ignorehosts (might as well turn portscan off if using too much
> addresses). I have my IDS sitting at a traffic point on our router. My
> EXTERNAL_NET and HOME_NET is set to any since I'm detecting internal
> intrusions and not external. I'm just getting bombarded. All I can think
> of now is turn off portscan if everything fails. Anyone has any
> suggestions? Portscan options now is 7 3. Any help would be very much
> appreciated. Thank you.
> 
> Cheers,
> -Alan
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list