[Snort-users] sfportscan tuning

Joel Esler joel.esler at ...1935...
Wed Mar 12 08:00:00 EDT 2008


Have you looked that the readme?

--
Joel Esler
Sent from the iRoad.

On Mar 12, 2008, at 12:47 AM, "Kamran Shafi" <kamran.shafi at ...11827...>  
wrote:

> Oops guess I replied to personal address.
>
> On Wed, Mar 12, 2008 at 3:45 PM, Kamran Shafi  
> <kamran.shafi at ...11827...> wrote:
> Thanks for a quick reply Joel,
>
> In the conf file there are apparently only three levels (low, medium  
> and high) of sensitivity that you can set for sfportscan  
> preprocessor which I believe have their thresholds set internally. I  
> understand that the local and global thresholds can be configured  
> using threshold directives at rule level or globally but that does  
> not seem to effect the preprocessor settings. I am actually  
> simulating some scanning activity which is being detected by the  
> portscan preprocessor, but I want snort to alert more often than it  
> is doing with the high sensitivity.
>
> What am I missing and sorry for my ignorance :(.
>
>
> On Wed, Mar 12, 2008 at 11:24 AM, Joel Esler <joel.esler at ...1935... 
> > wrote:
> Take a look at the snort.conf file in the etc/ directory.  All your  
> config options are in there.  The README is in doc/
>
> J
>
> On Mar 11, 2008, at 8:10 PM, Kamran Shafi wrote:
>
>> Hi all,
>>
>> Do I need to change the threshold settings of portscan preprocessor  
>> in src/preprocessors/portscan.c  or is there a softer way of  
>> changing the thresholds for the alerts generated by this  
>> preprocessor??
>>
>> Do I need to uninstall Snort first when I modify the .c file and  
>> then recompile? I earlier installed Snort using the package  
>> manager, I guess after doing this change I will just need to follow  
>> the standard sequence of make
>>
>> make clean
>> ./configure
>> make
>> make install
>>
>> Am I right or missing some step? Sorry if its a very basic question  
>> - just didn't want to stuff up my existing setup.
>>
>> -- 
>> Regards
>> Kam  
>> --- 
>> --- 
>> -------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> Joel Esler  joel.esler at ...1935...
>
>
>
>
>
>
>
> -- 
> Regards
> Kamran Shafi
> +61 41 824 9510
>
>
>
> -- 
> Regards
> Kamran Shafi
> +61 41 824 9510
> --- 
> ----------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080312/6c5078d0/attachment.html>


More information about the Snort-users mailing list