[Snort-users] How many ports is considered a portsweep/portscan?

Russ Combs rcombs at ...1935...
Fri Mar 19 05:41:18 EDT 2010

What version of Snort are you using?  The latest version has event_filters
that may do exactly what you want.  Check out the README.filters for more.

On Fri, Mar 19, 2010 at 2:43 AM, Nerijus Krukauskas
<nkrukauskas at ...11827...>wrote:

> Hi,
> On 2010-03-19, James Lay <jlay at ...13475...> wrote:
> > I took a good solid read of the README for sfportscan, but at the end of
> the
> > day it seems that I¹m left with only a couple options of ignore_scanners,
> > and ignore_scanned.  Am I reading something wrong?  These seem pretty
> binary
> > to me....unless there¹s a more granular level of control that I¹m
> missing.
> You're not alone with this kind of feeling. I have it too. And I'm
> ignoring much of the portscan alerts, unless the statistical alert
> picture changes.
> --
> http://nk99.org/
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100319/b7dc1c55/attachment.html>

More information about the Snort-users mailing list