[Snort-users] How can you classify portscans in ACID uniqe alert screen...
pheonix32 at ...7386...
Sat Jan 11 17:27:04 EST 2003
The "unique alerts" web page displays alerts by classification. Port scans (detected by snort preprocessor) log into ACID fine, but are classified as "undefined". If a classification is unavailable, ACID classifys a scan by the number of ports opened in 4 seconds. During long port scans this can cause a single portscan to be logged anywhere up to 20 times in the "unique alerts" screen.
To try and get around this I have created a custom rule with a classification and want this to be logged to acid when a portscan is detected.
How can I get the preprocessor to call that rule ???
Any ideas how to do this would be appreciated.
Using modified (snort 1.87)
Sheabo at ...5698...
Get your free email from http://mymail.operamail.com
Powered by Outblaze
More information about the Snort-users