[Snort-users] Tuning sfPortscan

Alex Gottschalk agottschalk at ...13723...
Wed Mar 15 11:15:10 EST 2006

Eric Hines wrote:
> You guys really should be using the preprocessor's tuning options built
> in to sfportscan rather than disabling things. Check out the
> ignore_scanners and ignore_scanned directives, play with the sensitivity
> level, etc..

Having done quite a bit of googling and reading of the snort manual, it 
seems like there isn't really any way of putting something along the 
lines of "! $HOME_NET" into the ignore_scanned field.  Or specifying 
certain ports to ignore.

> Turning things off entirely because of false positives is a really bad
> practice..

I did not turn off sfportscan entirely -- I turned off the portsweep 
scan_type because that was where 99% of the false positives were.  I'd 
like to turn it on again, but not if it's going to fill my logs with 
bogus results.


| Alex Gottschalk <agottschalk at ...13723...>       |
| LetsTalk, Inc. -- IT Manager/Sysadmin            |

More information about the Snort-users mailing list