[Snort-users] Flow-portscan

Jochen Vogel jvogel at ...8466...
Thu Aug 12 05:39:02 EDT 2004


I tested flow-portscan.
Is it normal that snort detect a "scanner limit" only that the
server-learning-time is exceeded.

If i set server-learning-time to 360 and scan from a client to the server it
get the
5min "Talker Limits" and after this time "Scanner Limits"

If this is normal and i use the default value 28800 i will get 8 hours
"Talker Limits" instead of "Scanner Limits"?

Which sense make the sliding scale?

Thx for info

More information about the Snort-users mailing list