[Snort-users] spp_portscan2??

Bill Terwilliger bill_terwilliger at ...10149...
Mon Sep 29 06:03:13 EDT 2003


portscan2 is snort's next generation portscan detection preprocessor.  
It allows you to configure configure the max number of hosts and/or 
ports that a portscanner can hit before it is alerted on.  The 
parameters are:

scanners_max - max number of potential portscanners that snort will 
track in the tree
targets_max - max number of different targets that snort will track (I 
think that this is per portscanner, but I forget)
target_limit - max targets a portscanner can hit before an alert is sent
port_limit - max ports that a portscanner can hit before an alert is 
sent - the port count is a sum of the ports from all hosts (very cool)
timeout - the portscanner's inactivity timeout - portscanner's will be 
removed from the tree if this value is hit
log - portscan2 has its own log

Here are the default values:
#define DEFAULT_MAX_SCANNER 1000
#define DEFAULT_TARGET_COUNT 1000
#define DEFAULT_TARGET_LIMIT 5
#define DEFAULT_PORT_LIMIT   20
#define DEFAULT_TIMEOUT      60

--bill On Saturday, September 27, 2003, at 02:05 PM, sauron wrote:

> what is spp_portscan2? i get a lot from my pc to other pc's and i 
> didn't make
> any scan.
> thx
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list