[Snort-users] sfportscan - open ports

Hin hchlai at ...2792...
Fri Apr 1 14:50:21 EST 2005

Thanks Jeremy... I believe I'll wait for 2.4 to come out. I can't find the patch that you indicated on the web, but any assistance would be appreciated.
I'm just curious that since sfportscan is a preprocessor, I would think that threshold.conf will not work on it. Data seems to flow from physical link -> packet capture kernel module or pcap-> snort decoder -> snort preprocessor -> snort signature file.  I thought threshold.conf will only interact after preprocessor pass the info to signature file. Am I correct?
Many thanks!


Jeremy Hewlett <jh at ...1935...> wrote:

>On Tue, Mar 29, Hin wrote:
>> Can someone give me some advise on how to suppress the "portscan:
>> open port" alert? I have put "suppress gen_id 122, sig_id 27" on the
>Hin -
>There is a fix for this in CVS' SNORT_2_3 branch. Could you check out
>this branch and let me know if it suits your needs?
>This SF.net email is sponsored by Demarc:
>A global provider of Threat Management Solutions.
>Download our HomeAdmin security software for free today!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

More information about the Snort-users mailing list