[Snort-users] sfportscan tuning

Kamran Shafi kamran.shafi at ...11827...
Wed Mar 12 00:47:42 EDT 2008


Oops guess I replied to personal address.

On Wed, Mar 12, 2008 at 3:45 PM, Kamran Shafi <kamran.shafi at ...11827...>
wrote:

> Thanks for a quick reply Joel,
>
> In the conf file there are apparently only three levels (low, medium and
> high) of sensitivity that you can set for sfportscan preprocessor which I
> believe have their thresholds set internally. I understand that the local
> and global thresholds can be configured using threshold directives at rule
> level or globally but that does not seem to effect the preprocessor
> settings. I am actually simulating some scanning activity which is being
> detected by the portscan preprocessor, but I want snort to alert more often
> than it is doing with the high sensitivity.
>
> What am I missing and sorry for my ignorance :(.
>
>
> On Wed, Mar 12, 2008 at 11:24 AM, Joel Esler <joel.esler at ...1935...>
> wrote:
>
> > Take a look at the snort.conf file in the etc/ directory.  All your
> > config options are in there.  The README is in doc/
> > J
> >
> > On Mar 11, 2008, at 8:10 PM, Kamran Shafi wrote:
> >
> > Hi all,
> >
> > Do I need to change the threshold settings of portscan preprocessor in
> > src/preprocessors/portscan.c  or is there a softer way of changing the
> > thresholds for the alerts generated by this preprocessor??
> >
> > Do I need to uninstall Snort first when I modify the .c file and then
> > recompile? I earlier installed Snort using the package manager, I guess
> > after doing this change I will just need to follow the standard sequence of
> > make
> >
> > make clean
> > ./configure
> > make
> > make install
> >
> > Am I right or missing some step? Sorry if its a very basic question -
> > just didn't want to stuff up my existing setup.
> >
> > --
> > Regards
> > Kam
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> >
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > --
> > Joel Esler  joel.esler at ...1935...
> >
> >
> >
> >
> >
>
>
> --
> Regards
> Kamran Shafi
> +61 41 824 9510




-- 
Regards
Kamran Shafi
+61 41 824 9510
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080312/c4b01fe2/attachment.html>


More information about the Snort-users mailing list