[Snort-users] Portscan Detection

eric-dated-1083277626.193075aa63e273 at ...11523... eric-dated-1083277626.193075aa63e273 at ...11523...
Sat Apr 10 12:09:03 EDT 2004


For those using snort on extremely busy networks or academic
networks, what type of portscan rulesets are you using? We have
about 8000 nodes on our network and see scans going by all day long,
but would like to keep reports down to a minimum...maybe like once
an hour...and do it only with snort and other tools such as grep,
awk, sed, etc..

We've gotten fairly good at thresholding scans to 135/tcp and other
normal noise by requiring 520 connections in 600 seconds, etc., but
would like to know how other folks are doing it :)

Thanks.

- Eric




More information about the Snort-users mailing list