[Snort-users] Snortsam / Portscanning Detection
tjgroves at ...5068...
Mon Dec 29 11:47:05 EST 2003
I was going to try to get our PIX firewall setup with snort / snortsam
and I had a question. We are interested in having the firewall block the
offending IP address when we receive a portscan, but I could not figure
out where we should place the "fwsam: src, 5 minutes;" entry. Because in
snort 2.1.0, I do not know about previous versions, the portscanning
detection is a preprocessor. If I set the "output-mode" to "pktkludge" I
can see it in the alerts database and everything, but as I said, I have
no idea how to set a different output plug-in for this. That is if it
can even currently be done. Any help would be greatly appreciated.
More information about the Snort-users