[Snort-users] Nmap -sT detection
wkitty42 at ...14940...
Thu Jul 24 15:09:55 EDT 2014
On 7/24/2014 2:10 AM, Meysam Farazmand wrote:
> Hello all,
> As you know, in nmap, when we use -sT switch and set timing template to paranoid
> or polite, it's impossible for snort to detect port scan. So i have an idea. In
> snort rules,If we could say for example when more than five port accessed by one
> host in 1 hour, trigger an alert. So i wanted to know if it's possible to
> implement this idea in snort rules?
seems that thresholding via threshold.conf or in-rule detection_filter would be
where you would look... here's a link to detection_filter
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users