[Snort-users] How to tune the portscan/portsweep preprocessors

Craig Merchant cmerchant at ...16022...
Wed Apr 10 20:26:23 EDT 2013

I've been experimenting with slowly increasing the number of preprocessors running on our test Snort sensors.  Every time I turn on the portscan/portsweep preprocessors, I get flooded with events that (almost exclusively) seem like false positives.

I've tried drilling down into the rules, but the logic of each one isn't present in the rule definition.

Is there any way to tune these rules and/or the preprocessor?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130411/3d1364ad/attachment.html>

More information about the Snort-users mailing list