bill_terwilliger at ...10149...
Mon Sep 29 06:03:13 EDT 2003
portscan2 is snort's next generation portscan detection preprocessor.
It allows you to configure configure the max number of hosts and/or
ports that a portscanner can hit before it is alerted on. The
scanners_max - max number of potential portscanners that snort will
track in the tree
targets_max - max number of different targets that snort will track (I
think that this is per portscanner, but I forget)
target_limit - max targets a portscanner can hit before an alert is sent
port_limit - max ports that a portscanner can hit before an alert is
sent - the port count is a sum of the ports from all hosts (very cool)
timeout - the portscanner's inactivity timeout - portscanner's will be
removed from the tree if this value is hit
log - portscan2 has its own log
Here are the default values:
#define DEFAULT_MAX_SCANNER 1000
#define DEFAULT_TARGET_COUNT 1000
#define DEFAULT_TARGET_LIMIT 5
#define DEFAULT_PORT_LIMIT 20
#define DEFAULT_TIMEOUT 60
--bill On Saturday, September 27, 2003, at 02:05 PM, sauron wrote:
> what is spp_portscan2? i get a lot from my pc to other pc's and i
> didn't make
> any scan.
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users