[Snort-users] Portscan preprocessor and false positives
lists at ...3351...
Tue Oct 15 19:05:04 EDT 2002
I didn't see this covered in the FAQ.
We are receiving a lot of spp:portscan alerts when internal users go to
sites like msn.com (go figure).
All the separate banner ads are showing up as separate IP and the
portscan preprocessor fires. I have tried increasing the threshholds to
I could add HOME_NET to the ignore hosts variable, but would prefer to
just have the preprocessor for sensor ignore what it thinks are port
scans on port 80.
So can I get the portscan preprocessor to ignore to ignore port 80?
Thanks to everybody for your help.
More information about the Snort-users