[Snort-users] Tuning sfPortscan
rob.ward at ...11329...
Mon Mar 13 04:02:01 EST 2006
Hi, one of my sensors is generating a lot of noise from sfPortscan. The
alerts are generated correctly (the sensor is monitoring our residential
network) mostly by p2p traffic. The problem I have is they're filling my
database and causing a performance issue.
What I'd like to do, rather than disable the preprocessor, is see only
alerts for scans to hosts on our network. I've added our address range as
'watch_ip' but what I'd like to do is use the equivalent of EXTERNAL_NET
from snort.conf for 'ignore_scanned'. Unless I've missed something there
isn't an equivalent for sfPortscan?
University of Liverpool
Computing Services Department
More information about the Snort-users