[Snort-users] Editing detect_scans
MichaelS80 at ...7115...
Tue Oct 8 15:29:02 EDT 2002
I am running network behind a PIX firewall, and every web connection generates a ton of scan alerts, since every connection from the same web host IP (port 80) creates a score of ports on the "inside", which is rightfully detected by Snort as a scan. Thus, I would like to edit out ports 53, 80 and 443 from the detection scheme in streams4 preprocessor.
How can I do it on the Windows and Linux machines (later is more critical)?
More information about the Snort-users