[Snort-users] How can you classify portscans in ACID uniqe alert screen...

James MacKinnon pheonix32 at ...7386...
Sat Jan 11 17:27:04 EST 2003

Hi There,

The "unique alerts" web page displays alerts by classification. Port scans (detected by snort preprocessor) log into ACID fine, but are classified as "undefined".  If a classification is unavailable, ACID classifys a scan by the number of ports opened in 4 seconds. During long port scans this can cause a single portscan to be logged anywhere up to 20 times in the "unique alerts" screen. 

To try and get around this I have created a custom rule with a classification and want this to be logged to acid when a portscan is detected.

How can I get the preprocessor to call that rule ???

Any ideas how to do this would be appreciated.

Using modified (snort 1.87)


Sheabo at ...5698...
Get your free email from http://mymail.operamail.com

Powered by Outblaze

More information about the Snort-users mailing list