[Snort-users] How many ports is considered a portsweep/portscan?

Nerijus Krukauskas nkrukauskas at ...11827...
Fri Mar 19 02:43:37 EDT 2010


On 2010-03-19, James Lay <jlay at ...13475...> wrote:
> I took a good solid read of the README for sfportscan, but at the end of the
> day it seems that I¹m left with only a couple options of ignore_scanners,
> and ignore_scanned.  Am I reading something wrong?  These seem pretty binary
> to me....unless there¹s a more granular level of control that I¹m missing.

You're not alone with this kind of feeling. I have it too. And I'm
ignoring much of the portscan alerts, unless the statistical alert
picture changes.


More information about the Snort-users mailing list