[Snort-users] How many ports is considered a portsweep/portscan?

Nerijus Krukauskas nkrukauskas at ...11827...
Wed Mar 24 08:12:04 EDT 2010


On 2010-03-19, Russ Combs <rcombs at ...1935...> wrote:
> What version of Snort are you using?  The latest version has event_filters
> that may do exactly what you want.  Check out the README.filters for more.

Mine is 2.8.4. Will move to 2.8.6 as soon as the OS upgrade will
permit, which is not in my control...

Damn, can somebody change the mailing list settings, so that reply
goes to the mailing list?

> On Fri, Mar 19, 2010 at 2:43 AM, Nerijus Krukauskas
> <nkrukauskas at ...11827...>wrote:
>
>> Hi,
>>
>> On 2010-03-19, James Lay <jlay at ...13475...> wrote:
>> > I took a good solid read of the README for sfportscan, but at the end of
>> the
>> > day it seems that I¹m left with only a couple options of
>> > ignore_scanners,
>> > and ignore_scanned.  Am I reading something wrong?  These seem pretty
>> binary
>> > to me....unless there¹s a more granular level of control that I¹m
>> missing.
>>
>> You're not alone with this kind of feeling. I have it too. And I'm
>> ignoring much of the portscan alerts, unless the statistical alert
>> picture changes.
>>
>> --
>> http://nk99.org/
>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>


-- 
http://nk99.org/




More information about the Snort-users mailing list