[Snort-users] Snortsam / Portscanning Detection

Tuomas Groves tjgroves at ...5068...
Mon Dec 29 11:47:05 EST 2003


Hey everyone,

I was going to try to get our PIX firewall setup with snort / snortsam 
and I had a question. We are interested in having the firewall block the 
offending IP address when we receive a portscan, but I could not figure 
out where we should place the "fwsam: src, 5 minutes;" entry. Because in 
snort 2.1.0, I do not know about previous versions, the portscanning 
detection is a preprocessor. If I set the "output-mode" to "pktkludge" I 
can see it in the alerts database and everything, but as I said, I have 
no idea how to set a different output plug-in for this. That is if it 
can even currently be done. Any help would be greatly appreciated.

   Tuomas Groves





More information about the Snort-users mailing list