[Snort-users] Portscan parameters

Glenn Forbes Fleming Larratt glratt at ...604...
Tue Oct 1 13:18:04 EDT 2002

I use the 20 hits in 5 seconds as a threshold. I get very few
false positives.


On Tue, 1 Oct 2002, shadi Rostami wrote:

> I was just wondering, what are the typical values for portscan threshold and
> period.
> In snort.conf, it seems to be 4 ports in 3 seconds.
> Are these realistic numbers? Don't you get many false alarms if you set
> these numbers? I myself was thinking of portscan as about 50 scans within a
> second!

				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt at ...604...

More information about the Snort-users mailing list