[Snort-users] Flow-portscan oddity
cmg at ...671...
Wed Apr 14 13:53:10 EDT 2004
"Douglas McCrea" <dmccrea at ...10965...> writes:
> That's what I mean... Flow-Portscan works in the sense that it can be
> configured to show that a scan or attack is happening from one host to
> another, but it's totally useless without actually know what ports are
> being scanned... As an analyst, the information below is nearly useless
> to me.
At most it will only keep the last machines scanned when outputting
via the pktkludge output. It's supposed to be a real time component to
give you something to alert on and then go look at NetFlow-esque data
from that around that alert timerange to find out what was actually
I'll be the first to admit configuring it's a PITA but it's good at
being consistent on memory usage. It also suffers from it was shoved
into the same old output systems that everything else uses..
I think it also has way too many end user knobs exposed by default so
the command line configuration really sucks.
Chris Green <cmg at ...1121...>
"I have no ability to read string
handling code in a gaim window" -- me
More information about the Snort-users