[Snort-users] Tuning sfPortscan

Alex Gottschalk agottschalk at ...13723...
Wed Mar 15 10:23:02 EST 2006


Rob Ward wrote:
> 
> What I'd like to do, rather than disable the preprocessor, is see only 
> alerts for scans to hosts on our network. 

I'm having almost exactly the same issue, and would be very interested 
to know if anyone has worked out a good solution to this.  For the time 
being, I've disabled the portsweep scan, since that seem to create the 
greatest number of useless alerts,

Solutions would be what Rob said above, or to be able to filter by port 
(as in, ignore "portsweeps" to EXTERNAL_NET on ports 80 and 443).

Alex

#include <std-disclaimer.h>

/-------------------------------------------------\
| Alex Gottschalk <agottschalk at ...13723...>      |
| IT Manager/Sysadmin, LetsTalk, Inc.             |
\-------------------------------------------------/




More information about the Snort-users mailing list