[Snort-users] ids problems

Jasmine CHUA Jasmine.Chua at ...11322...
Wed Apr 21 23:44:02 EDT 2004


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Thanks for your reply. I have tried that before. But it still does not work.
:(



- -----Original Message-----
From: Guillaume Arcas [mailto:guillaume.arcas at ...953...]
Sent: Thursday, April 22, 2004 13:17
To: Jasmine CHUA
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ids problems


Jasmine CHUA a dit :

Hi.

> Problem 1)
>
> Flow-Portscan works but not quite well for me. On Acid I only see the very
> first portscan alert and thereafter, I don't get to see the next and the
> next portscan alert on Acid. Its really weird. Right now, I can only see
> all
> the portscan alerts in syslog.
>
> Here's my snort.conf:
>
> preprocessor flow: stats_interval  hash 2
> preprocessor flow-portscan: unique-memcap 5000000 unique-rows 50000
> tcp-penalties on server-scanner-limit 4 server-watchnet $HOME_NET
> alert-mode
> once output-mode pktkludge

You have to change the alert mode from "once" (only log the first event)
to "all" (quite self-understanding...).

- -- 
Guillaume Arcas

- --------------------------------------------------
Il faut nous quitter. Nous sommes deux enfants,
nous avons fait une folie. (Yvonne de Galais)

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQIdoRv4wcdIw6CVjEQLAlACgoIsT+xw/qb9jVGiILvK+FVNG6mUAoMgL
pznXf7LRPjC3uimoFjMYVa9a
=HsnY
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list