[Snort-users] FW: preprocessor flow-portscan:

[Parent,Patrice [CMC]]

> Hi,
> 
> I have a couple of questions concerning the port scan function of
> snort;
> Is there a way to configure the different variables of the
> `preprocessor flow-portscan:` in the snort.conf file so that ;
> - It display a sample of the port scan in MySQL or in a Log file?
> - In the case of an IP scan, It display the total number of host scan
> by the source IP in the sequence?
> 
> 
> Following is my configuration of the flow-portscan: 
> 
> preprocessor flow-portscan: \
>        scoreboard-rows-talker 1000000 \
>        scoreboard-rows-scanner 250000 \
>        unique-rows 1000000 \
>        server-rows 65536 \
>        scoreboard-memcap-talker 25165824 \
>        scoreboard-memcap-scanner 6291456 \
>        scanner-fixed-threshold 15 \
>        talker-fixed-threshold 15 \
>        scanner-sliding-threshold 40 \
>        talker-sliding-threshold 30 \
>        scanner-fixed-window 15 \
>        talker-fixed-window 30 \
>        scanner-sliding-window 20 \
>        talker-sliding-window 30 \
>        talker-sliding-scale-factor 0.50 \
>        scanner-sliding-scale-factor 0.50 \
>        src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
>        dst-ignore-net [10.0.0.0/30] \
>        tcp-penalties on \
>        server-watchnet[10.10.10.10/16] \
>        server-ignore-limit 500 \
>        server-scanner-limit 500 \
> #      alert-mode all \
>        alert-mode once \
> #      output-mode msg \
>        output-mode pktkludge \
>        server-learning-time 3600
> 
> 
> Thanks for your help
> 
> Patrice
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041102/d0543af3/attachment.html>