[Snort-users] preprocessor flow-portscan
kevmcs11 at ...131...
Thu Jan 29 06:29:45 EST 2004
I am trying to work out a base configuration for
What I have currently is:
preprocessor flow: stats_interval 10 hash 2
preprocessor flow-portscan: unique-memcap 5000000 \
unique-rows 50000 \
tcp-penalties on \
server-scanner-limit 5000 \
scanner-sliding-threshold 12 \
scanner-fixed-threshold 2 \
scanner-sliding-window 30 \
scanner-fixed-window 60 \
talker-fixed-threshold 12 \
talker-sliding-threshold 12 \
talker-fixed-window 60 \
talker-sliding-window 30 \
alert-mode all \
This config will generate an alert but will not alert
twice with the same host.
I would like to alert every 60 seconds if the
internal hosts are port scanning external subnets. I
am not using the server-* options, lowering the
thresholds and sliding-windows but to no avail. Any
help is appreciated,
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
More information about the Snort-users