[Snort-users] Editing detect_scans

Michael Shekman MichaelS80 at ...7115...
Tue Oct 8 15:29:02 EDT 2002


I am running network behind a PIX firewall, and every web connection generates a ton of scan alerts, since every connection from the same web host IP (port 80) creates a score of ports on the "inside", which is rightfully detected by Snort as a scan. Thus, I would like to edit out ports 53, 80 and 443 from the detection scheme in streams4 preprocessor. 

How can I do it on the Windows and Linux machines (later is more critical)?

Thanks,

M.S.





More information about the Snort-users mailing list