[Snort-users] preprocessor flow-portscan

Kevin Amorin kevmcs11 at ...131...
Thu Jan 29 06:29:45 EST 2004


Hello,
   I am trying to work out a base configuration for
flow-portscan.  

What I have currently is:

preprocessor flow: stats_interval 10 hash 2
preprocessor flow-portscan: unique-memcap 5000000 \
             unique-rows 50000 \
             tcp-penalties on \
             server-scanner-limit 5000 \
             scanner-sliding-threshold 12 \
             scanner-fixed-threshold 2 \
             scanner-sliding-window 30 \
             scanner-fixed-window 60 \
             talker-fixed-threshold  12 \
             talker-sliding-threshold  12 \
             talker-fixed-window  60 \
             talker-sliding-window  30 \
             alert-mode all \
             output-mode msg


This config will generate an alert but will not alert
twice with the same host.  
   I would like to alert every 60 seconds if the
internal hosts are port scanning external subnets.   I
am not using the server-*  options, lowering the
thresholds and sliding-windows but to no avail.  Any
help is appreciated,



Thanks
Kevin




__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/




More information about the Snort-users mailing list